Free Phone Consultation For New Clients | CONTACT NOW

Russian Organizations Increasingly Under Attack By Chinese APTs

SentinelLabs has identified a new cluster of threat activity targeting Russian organizations. They assess with high-confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA). The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice, most commonly Bisonal. SentinelLabs has also identified associated activity targeting telecommunication organizations in Pakistan leveraging similar attack techniques.

The threat actor in question has been active since at least May 2015, however the only public reporting on this activity to date has been from CERT-UA. CERT-UA reported the first activity on January 28, 2016 ; due to their reporting, SentinelLabs independently identified the same exact activity in mid-February 2016.

Investigation into threat actors targeting Russian and Ukrainian organizations began in December 2015 when SentinelOne observed an increase in tooling used by a group of threat actors that had previously been noted by FireEye (FEYE) and PaloAlto (PANW) as "Patchwork". The group primarily targets Russian or Ukrainian organizations with phishing emails containing malicious Office documents. These documents exploit CVE-2015-2545 and CVE-2016-0781 to deliver the RAT of choice, most commonly Bisonal.

The phishing emails contain addresses that appear to spoof the email domain of a legitimate target and obtain a victim's credentials. The spoofed emails are often lured into clicking on a hyperlink that actually injects an exploit into the targeted organization's network.

A likely vector for delivery is email exploits, but other phishing vectors have been used. For example, SentinelOne has seen an attack against internal systems with spear phishing emails purporting to have come from "customerservice" .

Source: Russian Organizations Increasingly Under Attack By Chinese APTs - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?