Chinese Government-Supported Hacker Group Conducted Cyberattacks on North and South American Ministries of Foreign Affairs
A hacker group that has ties to the Chinese government, and that has been tracked by researchers under the code name “Flea,” conducted a series of cyberattacks on ministries of foreign affairs in North and South America between late 2022 and early 2023. This was revealed in a report by cybersecurity firm Symantec that was posted on their website [here].
According to the report, Flea employed a new malware, Graphican, to gain remote access to infected computers. In addition to foreign ministries, other government and private organizations in different countries were also affected.
As the Symantec report states, Flea is a group of advanced cybercriminals that has been attacking governments, embassies and diplomats since 2004. It operates under several aliases, including APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda.
Flea has been busy with multiple operations in recent months. In January, it was discovered that the group was responsible for a series of cyberattacks on Iranian government structures between mid-July and the end of December 2022. And just last month, it was revealed that the Kenyan government had also been a target of Flea’s three-year-long reconnaissance operation, which focused on key ministries and state institutions in the country.
The use of Graphican by Flea in their most recent campaign is notable. The new malware, an evolution of an already known Flea software called Ketrican, leverages the Microsoft Graph API and OneDrive to obtain the C2-server address. This allows the hackers to receive arbitrary commands, including the creation of an interactive command line, uploading files to the host, and setting up hidden processes to collect interesting data.
Another interesting tool used during the attacks was an updated version of the malicious EWSTW code. This tool can extract sent and received emails from hacked Exchange servers.
The use of new and sophisticated harmful code shows that Flea, despite its long history of activity, continues to actively develop new tools, as noted by Symantec.
It is worth mentioning that the abuse of Microsoft Graph API and OneDrive was previously observed in the case of both Russian and Chinese hackers, such as APT28 (also known as SOLLLLLOWTAIL) and Bad Magic (also known as Red Stinger).