Security researchers have reported a cyber attack campaign linked to the Chinese group Earth Krahang that targeted at least 116 organizations in 45 countries since the beginning of 2022. According to researchers at Trend Micro monitoring the activity of the group, most of the attacks were directed at government structures.
Among the affected organizations, it was reported that 48 government organizations, including 10 foreign ministries, were directly impacted by the attacks, while 49 more state agencies narrowly avoided falling victim to the Chinese cybercriminals.
The attackers exploited vulnerabilities in Internet-facing servers and deployed custom backdoors through specially crafted phishing emails to carry out cyber espionage.
The hackers scanned publicly available servers for vulnerabilities such as cve-2023-32315 (Openfire) and cve-2022-21587 (Control Web Panel) to gain unauthorized access and maintain a presence in the victims’ networks.
Specialized phishing emails were used for initial access, with topics based on geopolitical events to entice recipients to open attachments or click on links.
Once inside the network, Earth Krahang utilized compromised infrastructure for malicious downloads, redirecting attacks, and sending targeted phishing emails using hacked government email accounts.
In one instance, the group used a compromised government institution’s mailbox to send malicious emails targeting 796 email addresses within the same institution, a tactic known as the beC-compromise.
Earth Krahang also set up VPN servers on compromised public servers using SoftEtherVPN for access to private networks and lateral movement within those networks.
The group employed malicious tools such as Cobalt Strike, Reshell, and Xdealer for issuing commands and collecting data, with Xdealer supporting both Linux and Windows systems for tasks like taking screenshots, logging keystrokes, and intercepting data from the clipboard.
Trend Micro’s study highlights the link between Earth Krahang and other Chinese cyber espionage groups, suggesting that these groups may be operating under a common entity engaged in spying on government entities.
The researchers have published a full list of compromise indicators (IOC) for the Earth Krahang campaign in their complete report, providing vital information for security professionals to safeguard organizations against