Posted on June 16, 2018 at 2:49 PM
A new report by researchers from Kaspersky Labs announces a new activity by a well-known hacking group based in China. The group is known by many names, including LuckyMouse, Iron Tiger, EmissaryPanda, Threat Group-3390, as well as APT27. They are also known for using watering hole attacks, and their latest target was the National Data Center of an unknown country from Central Asia.
Kaspersky Lab’s researchers have issued yet another report of a large hack, and this one has targeted the national data center of one of Central Asia’s country. It is still unknown which country was hit, but the hack has allowed hackers to gain access to a large number of its government’s resources. Researchers have deduced that the hacking group that was responsible for the attack is actually LuckyMouse, a group based in China.
Evidence that this group, which is active since 2010 and is known by many names, is responsibly included domains, choice of target, tools that were used, as well as the attackers’ tactics.
Basically, a watering hole is a special technique that revolves around infecting well-known and reputable websites with malware. The site’s visitors are assured by its reputation, and they do not expect to get their devices infected, which is exactly what happens.
In this example, the attackers used the already existing version of a malware called HyperBro RAT. This is a Remote Administration Tool (RAT), which is often used by hackers from China.
Additionally, researchers uncovered that various Chinese hacking groups, including LuckyMouse, have started using various infected documents, especially Microsoft Office Equation Editor. They use them in order to exploit a very old vulnerability known as CVE-2017-11882. It is currently still unknown whether this latest attack was performed by using the watering hole attack, or if the hackers chose to exploit the mentioned vulnerability.
There were several interesting details
An interesting thing regarding the attack is that the C&C (Command and Control) server hosted the Ukrainian ISP’s IP address. Researchers managed to uncover that the router behind the address is a MikroTik router v 6.34.4, and that it was in use since March 2016. However, they do not believe that the router is owned by the attackers, but rather that they hacked into it as well.
After the hackers managed to compromise the data center, they modified the websites and made them redirect the visitors to BEeF and ScanBox. They managed to do this by adding two more malicious scripts. Finally, the researchers say that this particular group has been much more active as of late, which made it stand out quite a bit.
The unusual thing about the attack is the group’s choice of target. This is due to the fact that the national data center is not only a source of valuable info, but it is also used for hosting various websites belonging to the government. Additionally, the researchers believe that the mentioned router that the hackers managed to hack into was actually hacked for this specific attack. This is not usually the case when it comes to Chinese hackers, which might indicate that they are trying out a stealthier method of performing their campaigns.