Security News > 2021 > July > China's Cyberspies Targeting Southeast Asian Government Entities
Russian cybersecurity firm Kaspersky, which first spotted the infections in October 2020, attributed them to a threat actor it tracks as "LuminousMoth," which it connected with medium to high confidence to a Chinese state-sponsored hacking group called HoneyMyte or Mustang Panda, given its observed victimology, tactics, and procedures.
About 100 affected victims have been identified in Myanmar, while the number of victims jumped to nearly 1,400 in the Philippines, although the researchers noted that the actual targets were only a fraction of the initial numbers, including government entities located both within the two countries and abroad. The goal of the attacks is to affect a wide perimeter of targets with the aim of hitting a select few that are of strategic interest, researchers Mark Lechtik, Paul Rascagneres, and Aseel Kayal said.
Put differently, the intrusions are simultaneously wide-ranging and narrow-focused, enabling the threat acor to siphon intelligence from high-profile targets.
In some instances, the attacks incorporated an extra step wherein the threat actor deployed a post-exploitation tool in the form of a signed-but-rogue version of Zoom video conferencing app, using it to hoover sensitive files to a command-and-control server.
"APT actors are known for the frequently targeted nature of their attacks. Typically, they will handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims' identities or environment," Kaspersky researchers said.
"It's not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers."