.webp "Chinese Hackers Utilizing Open Source Tools Such as Nmap for Cyber Attacks")
Chinese state-backed threat groups, including APT10, GALLIUM, and Stately Taurus, have been utilizing a modified version of the open-source network scanning tool NBTscan for over a decade. This tool, originally designed for network discovery and forensics, allows these threat groups to send NetBIOS status queries to specified IP addresses, extracting valuable information like IP addresses, computer names, usernames, and MAC addresses.
APT10, a Chinese threat group, has been using a customized version of NBTscan to conduct reconnaissance against various targets. In operations like Cloud Hopper and Soft Cell, they targeted managed IT service providers and global telecommunication providers, respectively. By leveraging NBTscan’s capabilities, APT10 could identify vulnerabilities in systems and map network infrastructure to plan further attacks.
Another Chinese state-affiliated threat group, GALLIUM, was identified by Microsoft for targeting global telecommunication providers in 2019. They utilized a range of tools, including NBTscan, to identify open NetBIOS nameservers and gather system information within targeted networks. This underscores the importance of such reconnaissance tools in conducting sophisticated cyber operations.
Stately Taurus, also known as Mustang Panda, is another Chinese cyber espionage threat actor that has been employing NBTscan to scan infected environments for live hosts, open ports, and domain information. Additionally, other Chinese threat groups like Earth Lusca and TGR-STA-0043 have also been reported to use NBTscan for their malicious activities, indicating its widespread usage among Chinese threat actors.
In addition to NBTscan, Chinese state-sponsored hacking groups like APT40 have been utilizing tools like ScanBox for reconnaissance purposes. ScanBox is a JavaScript-based framework used in targeted phishing campaigns against various entities, where it collects information about visitors to compromised websites. This highlights the evolving tactics and techniques employed by Chinese threat actors to gather intelligence and launch cyberattacks.
Furthermore, TGR-STA-0043, a Chinese-aligned APT group responsible for Operation Diplomatic Specter, has transitioned to using a newly developed penetration testing toolset called Yasso. This tool offers advanced features like SQL penetration functions and database capabilities, indicating a more sophisticated and well-resourced threat actor. Their targeting of governmental entities in different regions underscores the geopolitical implications of cyber espionage activities.
Moreover, Chinese-nexus threat actor Earth Krahang heavily relies on open-source scanning tools like sqlmap, nuclei, xray, pocsuite, and wordpressscan to identify vulnerable targets for attacks. The presence of a repository called “Scanners Box,” containing numerous open-source scanning tools developed by Chinese-speaking developers, highlights the significant interest and investment in creating such tools within the Chinese cybersecurity community.
Overall, the repeated use of NBTscan and other scanning tools by Chinese threat groups illustrates the critical role these tools play in their malicious activities. As these threat actors continue to evolve and adapt their tactics, it is essential for cybersecurity professionals to stay vigilant and prepared to defend against such sophisticated threats.