Chinese Hacker Groups Conducted Spy Campaigns in Southeast Asia
Specialists from Unit 42 IBO company Palo Alto Networks have discovered that the unnamed government of Southeast Asia has been the target of several Chinese hacker groups conducting spy campaigns in the region for a long time. The activity took place at about the same time and sometimes even on the same computers of the victims, but each group used unique tools, methods of work, and infrastructure.
Attack Groups and Techniques
Attacks aimed at various state bodies, including critical infrastructure, public medical institutions, and ministries, were attributed to three different groups: Statly Taurus (Mustang Panda), Alloy Taurus (Granite Typhoon), and Gelsemium.
|Mustang Panda||Alloy Taurus||Gelsemium|
|Used Toneshell and Shadowpad options. The main goal was to collect intelligence and theft of confidential information. During the campaign, attackers controlled the victims, focusing on long-term management. Among the group’s tools were adfind, mimikatz, impacket, web shells, china chopper, Cobalt Strike, Shadowpad, and the new version of the toneshell backdoor.||Tried to remain unnoticed. The group began its actions in early 2022 and continued them throughout 2023, using unusual methods of infection and bypassing security means. Hackers exploited vulnerabilities in Microsoft Exchange Server for the deployment of web shells and additional downloads. Tool inventory included .NET zapoa and reteshell for remote execution of arbitrary commands and collecting confidential information.||Focused on vulnerable IIS servers. The group was active for six months between 2022 and 2023. Attackers used rare tools and methods to gain access to sensitive Microsoft IIS servers. They utilized OWLPROXY and SESSIONManager backdoors, as well as Cobalt Strike, Meterpreter, EarthWorm, and Spoolfool for post-exchanging, tunneling traffic, and raising privileges.|
Since some attempts by attackers to establish harmful software turned out to be unsuccessful, they