Report: Chinese state-sponsored hacking group highly active

BANGKOK: A Chinese language hacking group that’s probably state-sponsored and has been linked beforehand to assaults on US state authorities computer systems continues to be “extremely lively” and is specializing in a broad vary of targets that could be of strategic curiosity to China’s authorities and safety providers, a personal American cybersecurity agency mentioned in a brand new report Thursday.
The hacking group, which the report calls RedGolf, shares such shut overlap with teams tracked by different safety corporations below the names APT41 and BARIUM that it’s thought they’re both the identical or very intently affiliated, mentioned Jon Condra, director of strategic and protracted threats for Insikt Group, the menace analysis division of Massachusetts-based cybersecurity firm Recorded Future.
Following up on earlier studies of APT41 and BARIUM actions and monitoring the targets that had been attacked, Insikt Group mentioned it had recognized a cluster of domains and infrastructure “extremely probably used throughout a number of campaigns by RedGolf” over the previous two years.
“We imagine this exercise is probably going being performed for intelligence functions reasonably than monetary achieve as a result of overlaps with beforehand reported cyberespionage campaigns,” Condra mentioned in an emailed response to questions from The Related Press.
China’s Overseas Ministry denied the accusations, saying, “This firm has produced false data on so-called ‘Chinese language hacker assaults’ greater than as soon as previously. Their related actions are groundless accusations, far fetched, and lack professionalism.”
Chinese language authorities have constantly denied any type of state-sponsored hacking, as a substitute saying China itself is a serious goal of cyberattacks.
APT41 was implicated in a 2020 US Justice Division indictment that accused Chinese language hackers of focusing on greater than 100 corporations and establishments within the US and overseas, together with social media and online game corporations, universities and telecommunications suppliers.
In its evaluation, Insikt Group mentioned it discovered proof that RedGolf “stays extremely lively” in a variety of nations and industries, “focusing on aviation, automotive, schooling, authorities, media, data expertise and non secular organizations.”
Insikt Group didn’t establish particular victims of RedGolf, however mentioned it was capable of observe scanning and exploitation makes an attempt focusing on completely different sectors with a model of the KEYPLUG backdoor malware additionally utilized by APT41.
Insikt mentioned it had recognized a number of different malicious instruments utilized by RedGolf along with KEYPLUG, “all of that are generally utilized by many Chinese language state-sponsored menace teams.”
In 2022, the cybersecurity agency Mandiant reported that APT41 was answerable for breaches of the networks of at the very least six US state governments, additionally utilizing KEYPLUG.
In that case, APT41 exploited a beforehand unknown vulnerability in an off-the-shelf industrial internet utility utilized by 18 states for animal well being administration, in accordance with Mandiant, which is now owned by Google. It didn’t establish which states’ techniques had been compromised.
Mandiant referred to as APT41 “a prolific cyber menace group that carries out Chinese language state-sponsored espionage exercise along with financially motivated exercise probably exterior of state management.”
Cyber intelligence corporations use completely different monitoring methodologies and sometimes identify the threats they establish in a different way, however Condra mentioned APT41, BARIUM and RedGolf “probably confer with the identical set of menace actor or group(s)” as a result of similarities of their on-line infrastructure, techniques, strategies and procedures.
“RedGolf is a very prolific Chinese language state-sponsored menace actor group that has probably been lively for a few years in opposition to a variety of industries globally,” he mentioned.
“The group has proven the power to quickly weaponize newly reported vulnerabilities and has a historical past of creating and utilizing a wide range of customized malware households.”
Insikt Group concluded that the usage of KEYPLUG malware by means of sure kinds of command and management servers by RedGolf and comparable teams is “extremely prone to proceed” and advisable that purchasers guarantee they’re blocked as quickly as they’re detected.