A Chinese-backed “advanced persistent threat” (APT) group known for isolating Japanese entities has been connected to a long-running espionage campaign. The campaign is believed to have started in mid-2021 and continued through to February 2022. Cybersecurity researchers at Symantec have tied the campaign to Cicada, also known as APT 10, Red Apollo, Stone Panda, MenuPass Team, Bronze Riverside, and Pottasium.
The identified victims of the cyberattacks include government, non-governmental (NGO), religious, and legal organizations in North America, Asia, and Europe. Most of the targeted victims are in India, Turkey, the US, Italy, Hong Kong, Canada, Montenegro, and Japan. The hackers from this APT group have spent up to nine months hidden in the networks of some of these organizations. The most intriguing part of these campaigns is the wide number of sectors and geographic locations. Most of the Cicadas' activity was mainly focused on Japan-linked companies, however lately the cybercriminal group has been recently linked to more attacks globally.
According to the Symantec report, the group has ties to the Chinese Ministry of State Security. Back in March 2021, Kaspersky discovered that a Chinese-backed APT group was involved in an intelligence-gathering operation carried out in various industry sectors in Japan. In February 2022, Cicada (going by Stone Panda) was involved in an organized supply chain attack against Taiwan’s financial sector to compromise sensitive information from those systems.
In several of the detected campaigns, evidence of initial activity on compromised networks was seen on Microsoft Exchange Servers. Which could mean that some of the attacks started with hackers exploiting unpatched vulnerabilities in Microsoft Exchange back in April of 2021.
Once the cybercriminals gain initial access using a known unpatched vulnerability in the Microsoft Exchange servers, they deploy their backdoor of choice, commonly known as SodaMaster. The malware is proficient in remaining undetected and encrypts any data sent back to the devices used by the hackers. Apart from the custom tools, the group uses publicly available tools to scan and deliver payloads.
In the group’s newest campaign, they were observed stealing credentials by use of a custom Mimikatz loader. This version of the Mimikatz loader dropped a “mimilib.dll” to steal credentials in plain text for any user on the compromised device and remains persistent across reboots. The report also claimed that the hackers exploited VLC Media Player. It launched a custom loader by use of the VLC Exports function and used the WinVNC tool to control the victim’s machine remotely. Other tools used in this campaign include NBTScan, RAR archiving tools, WMIExec, and System/Network discovery.
The organizations and sectors being targeted, the tools being deployed, and the previous history of the culprit has led researchers to conclude that the goal is information theft and intelligence gathering. The targeting of multiple large organizations around the globe implies Cicada has plenty of resources at its disposal. Researchers suggest the Chinese-backed APT group will continue to be an increasing cybersecurity threat.
Protecting your organization against well-resourced nation-backed groups is never easy, but there are some measures that organizations can take to avoid falling prey to these attacks. Some minimal actions your organization can take include using multi-factor authentication and patching known vulnerabilities. Cybersecurity researchers at Symantec also encourage the introduction of one-time passwords for administrative work to prevent misuse and theft of admin logins. In addition, IT teams should regularly monitor the network for any suspicious activity.
Follow us on Facebook, & LinkedIn or Contact us at 406-646-2102 and get your questions answered.