Two companies specializing in cybersecurity have spotted hacking campaigns carried out by groups based in China. The latter claim to provide public information about the war in Eastern Europe, to deceive the victims.
A war always attracts its share of opportunists. According to several companies specializing in cybersecurity, groups of Chinese hackers would take advantage of the state of panic caused by the invasion of Russia to recover sensitive information.
The Slovak company ESET Research has spotted malware (malicious software) spread through an extensive phishing campaign exploiting the war between the two countries and led by the Chinese group Muastang Panda.
In a report published on March 23, ESET researchers attribute this operation” with great confidenceto hackers in the Middle Kingdom based on” on the similarity of codes and many commonalities in tactics, techniques and procedureswith previous attacks.
Hackers offered to download official documents
The emails were about information about the conflict and mainly targeted government entities and NGOs. The files to be downloaded were for example named “ situation at EU borders “.
The file was actually a Trojan horse that includes a backdoor for administrative control of the computer. ESET Research dubbed the malware “Hodur” because it is believed to be similar to another variant called “Thor” detected by Palo Alto Networks in 2021. Specialists draw inspiration from Norse mythology, with Hodur being the blind half-brother of the god Thor.
” Other phishing lures mention updated COVID-19 travel restrictions, approved regional aid map for Greece, and European Parliament and Commission regulations said ESET Research. ” One of the lures is a real document, available on the European Council website. This shows that the group behind this campaign follows the news and is able to react to it successfully and quickly.says Alexandre Côté Cyr, author of the report.
Among the targeted countries are Greece, Cyprus, Russia, Mongolia, Viet Nam, Myanmar, South Sudan and South Africa.
A first Chinese attack since the start of the invasion
Scarab, another group of cyber hackers based in China is also said to have profited from the war and this time is targeting Ukrainian targets. Their activity was spotted by the Sentinal Labs company, which detailed the operating mode in a report published on March 24. Analysis of the metadata associated with the decoy documents suggests that the authors are using the Chinese-language Windows operating system.
This time the hackers mimicked the Ukrainian National Police, sharing an email intended to preserve video evidence of Russian military crimes. Once the file was downloaded, the malware could implant a backdoor into the system. In a press release, the Ukrainian cyberpolice also indicates that it has detected this group of hackers.
Sentinel Labs adds that it is ” the first public example of a Chinese actor targeting Ukraine since the invasion began. While there has been a marked increase in reported attacks on Ukraine over the past week, these and all previous abuses come from Russian threat actors. Active since at least 2012, this Chinese group has been spotted several times, targeting individuals in the United States and Russia.
China does not currently provide logistical or financial support to Russia. The two groups mentioned have been linked to the Middle Kingdom by many experts and for the moment no one can prove whether they act independently or under the tutelage of Beijing.
