Systems hosting content pertaining to the National Games of China were successfully breached last year by an unnamed Chinese-language-speaking hacking group.
Cybersecurity firm Avast, which dissected the intrusion, said that the attackers gained access to a web server 12 days prior to the start of the event on September 3 to drop multiple reverse web shells for remote access and achieve permanent foothold in the network.
The National Games of China, a multi-sport event held every four years, took place in the Shaanxi Province between September 15 and 27, 2021.
The Czech company said it was unable to determine the nature of the information stolen by the hackers, adding it has “reason to believe [the attackers] are either native Chinese-language speakers or show high fluency in Chinese.” According to reports, the breach was resolved before the game’s start.
The initial access was made possible by exploiting the vulnerability of the webserver. But before dropping the web shells, the adversary also experimented with the type of files that they were able to upload to the server, only to follow it up with submitting executable code that masqueraded as seemingly harmless images files.
Additionally, attempts were made to reconfigure the server to execute the Behinder web shell, failing which the operators “uploaded and ran an entire Tomcat server properly configured and weaponized” with the post-exploitation tool.
” After gaining access to the network, attackers attempted to move through it using exploits or bruteforcing service in an automated manner,” Avast researchers Jan Neduchal and David Alvarez Perez of Avast said.
Among other tools uploaded to the server included a network scanner and a custom one-click exploitation framework written in Go that enabled the threat actor to carry out lateral movement and autonomously break into other devices within the same network.
“Go is a programming language becoming more and more popular which can be compiled for multiple operating systems and architectures, in a single binary self-containing all dependencies,” the researchers said, calling out the increasing use of Go-based malware to conduct cyber attacks.
“We expect to see grey tools and malware written in this language during future attacks. This is especially true in [Internet of things] attacks that involve a wide range of devices with different processor architectures. “