Nearly half of advanced targeted attacks in Q3, 2017 came from Chinese-speaking actors

The third quarter of 2017 clearly demonstrated that Chinese-speaking actors have not “disappeared” and are still very much active, conducting cyber-espionage campaigns against a wide range of countries and industry verticals.

Kaspersky Lab_Q3 APT Report

In total, 10 of the 24 research projects on advanced targeted attacks conducted by Kaspersky Lab in Q3 centered around activities attributed to multiple actors in the Chinese region. These and other trends are covered in Kaspersky Lab’s latest quarterly threat intelligence summary.

Research conducted during the period of July-September 2017 revealed a number of developments in the area of targeted attacks by, among others, Chinese-, Russian-, English-, and Korean-speaking threat actors.

Chinese criminals in particular were specifically active during this period. Their revitalization has affected not only various organizations, but also government and political bodies as well as huge regional agreements – bringing international relations into the business of advanced targeted attacks.

Highlights in Q3, 2017 include:

Rise of cyber-espionage attacks by Chinese-speaking actors. The most interesting of the attacks were Netsarang/ShadowPad and CCleaner – both of which involved embedding specific backdoors inside the installation packages of legitimate software. CCleaner alone managed to infect 2 million computers, making it one of the biggest attacks of 2017.

Growing Chinese-speaking actors’ interest in attacks on strategic facilities and economy sectors. At least two separate reports provide clear cases in point:

IronHusky attack on Russian and Mongolian aviation companies and research institutes. This campaign was discovered in July, when the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor. The attack was connected to Mongolian air defense prospects, which were a key subject of negotiations held with Russia earlier in the year.

H2ODecomposition attack on the energy sectors of India and Russia. Both countries’ energy sectors were targeted with a new piece of malware referred to as “H2ODecomposition”. In some cases, this malware was masquerading as a popular Indian antivirus solution (QuickHeal).

Furthermore, in Q3 2017 Kaspersky Lab experts issued several reports on Russian-speaking actors. Most of them were dedicated to financial and ATM attacks, however, one report examined Sofacy’s summertime activity, indicating that the group remained active.

Speaking of English-speaking actors, the third quarter also produced yet another member of the Lamberts: Red Lambert.

The Lamberts is a family of sophisticated attack tools that has been used by either one or multiple threat actors against high-profile victims since at least 2008.

The Red Lambert is a network-driven backdoor, discovered during the previous analysis of Grey Lambert and utilized instead of hard-coded SSL certificates in command and control communications.

“The targeted threat landscape is evolving constantly, not only in terms of cybercriminals’ being increasingly well-prepared and technologically sophisticated, but also in terms of geography. The rise of Chinese-speaking actors once again demonstrates the importance of investing in threat intelligence and arming organizations with insight on the latest trends and developments,” said Brian Bartholomew, Principal Security Researcher, Global Research and Analysis Team, Kaspersky Lab.

The Q3 APT Trends report summarizes the findings of Kaspersky Lab’s subscriber-only threat intelligence reports.

During the third quarter of 2017, Kaspersky Lab’s Global Research and Analysis Team created 24 private reports for subscribers, with Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting.