Covert cyber attacks by China: According to an investigation by Proofpoint’s cybersecurity experts, a hacker group linked to the Chinese state has now increasingly targeted diplomatic facilities in Europe. As the war in Ukraine escalated, dangerous emails were sent as part of a cyber campaign that were used to spread malware.
Here’s a summary of Proofpoint’s key takeaways from this campaign:
- The hacking group in question, Threat Actor (TA) 416 (also known as RedDelta), is known to be linked to the Chinese state. The group has been targeting destinations in Europe for several years. Proofpoint has been tracking this cyberactor since 2020, but the pace of its attacks has increased significantly since Russian troops deployed on the Ukrainian border.
- Recently, TA416 began using a compromised email account of a diplomat from a European NATO country to attack the diplomatic missions of another country. The target persons of the campaign work in the field of refugee and migrant care.
- TA416’s campaign uses web bugs to profile targets before the malware is distributed. Web bugs, also known as tracking pixels, are embedded, invisible hyperlink objects in the body of an email that, when activated, attempt to retrieve a harmless image file from an attacker’s server. This lets the perpetrators know that the targeted account is being used and the victim is prone to opening emails containing social engineering content. This suggests that TA416 is more targeted and may be trying to avoid having its attack tools discovered and made public.
- The campaign also uses malicious links and documents related to people fleeing Ukraine to deceive them. The goal is to deliver malware called PlugX to victims. PlugX is a RAT (Remote Access Trojan) that, once installed, can take complete control of the victim’s machine.
“The use of the web bug spying technique suggests that TA416 is becoming increasingly selective about which targets the group chooses to receive its malware payload,” say Proofpoint researchers. “In the past, the group has mainly sent web bug URLs along with malware URLs to get acknowledgment of receipt. In 2022, the group began first creating a user profile and then sending out malware URLs. This could be an attempt by TA416 to avoid their malicious tools being detected and made public. TA416 appears to be narrowing its focus and no longer running broad-based phishing campaigns, concentrating on individual targets. Since they are proven to be active and ready to open emails, this increases the group’s chances of success if a malicious malware payload is subsequently launched.”