Security News > 2020 > September > Microsoft Says China-Linked Hackers Abused Azure in Attacks
Microsoft Reports Evolution of China-Linked Threat Actor GADOLINIUM. Microsoft this week announced that it recently removed 18 Azure Active Directory applications that were being abused by China-linked state-sponsored threat actor GADOLINIUM. Also known as APT40, TEMP.Periscope, TEMP.Jumper, Leviathan, BRONZE MOHAWK, and Kryptonite Panda, the adversary has been active since at least 2013, mainly operating in support of China's naval modernization efforts, through targeting various engineering and maritime entities, including a U.K.-based company.
The threat actor was recently observed leveraging Azure cloud services and open source tools in attacks employing spear-phishing emails with malicious attachments.
"As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure," the tech company says.
In 2018, the hackers abused GitHub to host commands, and 2019 and 2020 attacks employed similar techniques.
As part of the attacks, GADOLINIUM leveraged an Azure Active Directory application for data exfiltration to OneDrive.
News URL
Related news
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Microsoft warns Azure Virtual Desktop users of black screen issues (source)
- China's Volt Typhoon reportedly breached Singtel in 'test-run' for US telecom attacks (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)