A previously unknown government-backed hacking group is targeting organizations in the manufacturing, IT, and biomedical sectors across Taiwan, Vietnam, the US and an unnamed Pacific island, according to new research from Symantec.
Researchers are tracking the group under the name “Grayling” and said in a report released earlier this week that it is using custom-made malware as well as publicly available tools to attack its targets. The attacks, which began in February and continued through May, stood out to researchers due to the use of distinctive hacking tools. The goal of the campaign is espionage rather than financial motives, they said.[1]
They found attacks on several organizations in the manufacturing, IT, and biomedical sectors in Taiwan as well as an incident involving a government agency located in the pacific island. Unnamed organizations in Vietnam and the US were also targeted as part of the campaign. “There are indications that Grayling may exploit public facing infrastructure for initial access to victim machines,” Symantec said. “The attackers take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders.”
The hackers used Havoc, an open-source tool that has gained prominence among hackers as an alternative to Cobalt Strike. The tool allows hackers to download additional payloads, execute commands on victim machines, manipulate Windows tokens and more.
During the attacks, Symantec saw the hackers use a spyware tool called NetSpy and exploit a popular Windows vulnerability, tracked as CVE-2019-0803. “While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering. The sectors the victims operate in…are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons,” they said. “The use of custom techniques combined with publicly available tools is typical of the activity we see from APT groups these days, with threat actors often using publicly available or living-off-the-land tools in attempts to bypass security software and help their activity stay under the radar of defenders.”
While Symantec declined to attribute the activity to a specific country, they said the “heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.”
In May, the US government and Microsoft accused Chinese hackers of infiltrating critical infrastructure systems and other areas around US military bases in Guam, a US territory in the Pacific. Symantec has also released multiple reports this year tracking Chinese espionage campaigns across Vietnam and other Southeast Asian nations, as well as Taiwan.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://therecord.media/nation-state-apt-targeting-taiwan-us/
Comments