The defendants worked for a company in China called Huaying Haitai Science and Technology Development Company (Huaying Haitai) and acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau. Zhu and Zhang were members of a hacking group operating in China known within the cyber security community as Advanced Persistent Threat 10 (the APT10 Group). Department of Defense, and Assistant Attorney General for National Security John C. O’Reilly of the Defense Criminal Investigative Service (DCIS) of the U.S. Berman for the Southern District of New York, Director Christopher A. The announcement was made by Deputy Attorney General Rod J. The unsealing of an indictment charging Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller and Zhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp, both nationals of the People’s Republic of China (China), with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft was announced today. While Kaspersky did not reveal the name of the group’s targets, they said GhostEmperor went after governmental entities and telecommunication companies across South East Asia (Malaysia, Thailand, Vietnam, and Indonesia), with outliers in Egypt, Afghanistan, and Ethiopia.Defendants Were Members of the APT 10 Hacking Group Who Acted in Association with the Tianjin State Security Bureau and Engaged in Global Computer Intrusions for More Than a Decade, Continuing into 2018, Including Thefts from Managed Service Providers and More Than 45 Technology Companies Security apps that spotted traffic from GhostEmperor’s malware would have normally classified it as RIFF, JPEG, or PNG files hosted on an Amazon server, researchers explained. In addition, GhostEmperor used another clever trick that consisted in modifying the communications between infected hosts to its command and control servers by re-packaging data as fake multimedia formats. Kaspersky also noted that the group’s malware was full of “a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques” that tried to prevent or hinder security researchers trying to analyze their malware. Kaspersky said GhostEmperor used Cheat Engine’s powerful drivers to bypass the Windows PatchGuard security feature and install a rootkit inside the victim’s Windows OS.Ĭalled Demodex, researchers said the rootkit was extremely advanced and allowed the group to maintain access to the victim’s device even after OS reinstalls and even on systems running recent versions of the Windows 10 OS.īut this wasn’t GhostEmperor’s only trick. This backdoor (an in-memory implant) was then used to download and run Cheat Engine, a tool used by online gamers to introduce cheats in their favorite video games. Kaspersky believes the group used exploits for Apache, Oracle, and Microsoft Exchange servers to breach a target’s perimeter network and then pivoted to more sensitive systems inside the victim’s network.Īccording to a technical report released during the conference today, GhostEmperor used an assortment of different scripts and tools to deploy backdoors inside a victim’s network. The entry point for GhostEmperor’s hacks were public-facing servers. “We observed that the underlying actor managed to remain under the radar for months,” Kaspersky researchers explained today. Named GhostEmperor, Kaspersky said the group uses highly sophisticated tools and is often focused on gaining and keeping long-term access to its victims through the use of a powerful rootkit that can even work on the latest versions of Windows 10 operating systems. At the SAS 2021 security conference today, analysts from security firm Kaspersky Lab have published details about a new Chinese cyber-espionage group that has been targeting high-profile entities across South East Asia since at least July 2020.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |