Chinese APT suspected of supply chain attack on Mongolian government agencies
A Chinese state-sponsored hacking group, also known as an APT, is suspected of having breached a Mongolian software company and compromised a chat app used by hundreds of Mongolian government agencies.
The attack is believed to have taken place earlier this year, in June, according to a report published today by Slovak security firm ESET.
The hackers targeted an app called Able Desktop, developed by a local company named Able Software. According to the company's website, the app is an add-on that provides instant messaging capabilities to the company's main product, a human resources management (HRM) platform.
Able Software claims its platform is used by more than 430 Mongolian government agencies, including the Office of the President, the Ministry of Justice, the Ministry of Health, various local law enforcement agencies, and many local governments.
Software abused by hackers since at least 2018
ESET says that because of its widespread use among government workers, the app has been at the center of several malware distribution efforts since at least 2018.
Initial attacks revolved around adding malware to the Able Desktop chat app and spreading a trojanized version of the app's installer via email, hoping to trick employees into infecting themselves.
Payloads in these attacks included the HyperBro backdoor and the PlugX remote access trojan.
But while these attacks were successful, ESET says that things changed in June 2020, when the attackers appear to have found a way inside Able's backend and compromised the system that delivers software updates to all Able software app.
ESET researchers say attackers abused this system on at least two occasions to deliver a malware-laced Able Desktop chat app through the official update mechanism.
For these attacks, the intruders again delivered the HyperBro backdoor, but they changed from PlugX to Tmanager as the remote access component.
At the time of writing, it is unclear if the attackers used the compromised Able update feature to install malware on all the systems they could reach or if they only went after selected targets.
Beyond notifying Able Software, ESET was unable to provide such details.
Furthermore, ESET wasn't able to pinpoint the attack on a particular group, as all the malware strains used in the attacks had been previously used by different China-linked APTs, such as LuckyMouse and TA428, but also to a collection of server infrastructure known as ShadowPad — itself linked to many more other Chinese APTs like CactusPete, TICK, IceFog, KeyBoy, and the umbrella group Winnti.
ESET believes these groups are either collaborating, using the same tools, or are subgroups part of a larger threat actor that controls their operations and targeting.
Besides the ESET report, cyber-security firm Avast also published its own report on these attacks, also linking the perpetrators back to China and classifying the attacks as cyber-espionage.