Single server ties hacked diplomatic cables to Chinese cyberattacks worldwide

Further investigation into a single C2 has revealed some interesting results.
Written by Charlie Osborne, Contributing Writer

A single command-and-control (C2) has revealed an extensive web of activity related to Chinese cyberattack groups, researchers say.

On Tuesday, cybersecurity professionals from the BlackBerry Cylance Threat Intelligence team published a report on recent Chinese hacking activity based on research made public in December by Area 1 Security.

Researchers from Area 1 Security said at the time that an ongoing campaign, launched by state-sponsored Chinese threat actors, had obtained "access into the diplomatic correspondence network of the European Union."

According to the report, the Ministry of Foreign Affairs of Cyprus and the overall COREU diplomatic network -- used to facilitate communication between all 28 EU countries -- had been compromised, leading to the exposure of diplomatic cables and far more besides. Over 100 organizations are believed to have been targeted, including trade unions and think tanks.

The infiltration of the network was attributed to the Strategic Support Force (SSF) of the People's Liberation Army (PLA), China's elite hacking team.

BlackBerry Cylance noted an interesting point within the researchers' findings -- the discovery of a single C2 server used in these targeted attacks.

Upon further investigation, it seems this C2 is also connected to a range of other Chinese threat actors -- described as "disparate" groups by BlackBerry Cylance -- which are sharing the same malware and exploit builders.

The researchers say they were able to find a connection between the military arm of the Chinese government's hacking teams and hackers tasked with cyberespionage, managed by the National Security Commission, state police, or the Ministry of State Security.

While the former focuses on military efforts, the latter tends to target Chinese activists and groups including the Muslim minority of ethnic Uyghurs, Falun Gong practitioners, Tibetans, and supporters of Taiwanese independence. Collectively, these groups are known as the Five Poisons and are reportedly deemed dangerous by the Chinese government.

Palo Alto Networks says that these groups are often targeted by malware known as Reaver which also has ties to the SUTR and SunOrcal malware strains. The malware families were also used in cyberattacks relating to the Taiwanese presidential election in 2016.

BlackBerry Cylance says it has found newer variants of the malware, alongside as-of-yet unnamed samples.

"Whether Reaver, and its predecessors, are tools wielded by Chinese groups focused internally on separatist movements, or by a division of the Chinese Army re-tasked to serve the same mission, is unknown," the researchers say. "However, it is clear that the group behind Reaver used some of the same infrastructure as the group behind the Area 1 attacks on the European Union and United Nations."

The C2 domain connected to the previously documented Area 1 research, updates.organiccrap[.]com, resolved to the 50.117.96[.]147 during 2017. However, a day before the first resolution, another domain was resolving to the same IP address, tashdqdxp[.]com.

See also: SIM hijacking ring which stole millions in cryptocurrency dismantled by feds

This domain name has been connected to the previous Reaver campaign. A number of new C2 domains are also now resolving to the same IP address which are deploying new Reaver variants.

The latest Reaver variants are using both new and old network infrastructure. However, BlackBerry Cylance also found a new backdoor, dubbed "Sparkle," which is rarely deployed.

Documents were also connected to these campaigns which have previously been attributed to Goblin Panda, a Chinese APT known for targeting defense, energy, and government organizations in Vietnam and other countries across Asia.

TechRepublic: Cybersecurity burnout: 10 most stressful parts of the job

The researchers say that it is possible that the evidence of overlapping tools indicates that the Chinese government is "expanding" its reach beyond traditional setups, or could be giving separate groups -- even if based at different agencies -- the means to access and share tools and infrastructure, whether they are located in the country or not.

CNET: Facebook, Instagram, Twitter have a dark side. Here's how to anonymously report abuse

The researchers' assessment further suggests that these hacking groups are sharing Indicators of Compromise (IoC) or adopting the same targets as other teams, and so Blackberry Cylance says that this constant motion may mean that risk assessments related to different APTs are becoming inaccurate over time.

"If defenders are overly reliant on blacklisting indicators of compromise, or else making risk assessments based on what they perceive the interests of Chinese APT groups to be, they will remain vulnerable to an attacker who is changing both its tools and its targets," Blackberry Cylance added. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards