A Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities has been attributed to a new long-running espionage campaign targeting new geographies, suggesting a “widening” of the threat actor’s targeting.
The widespread intrusions, which are believed to have commenced at the earliest in mid-2021 and continued as recently as February 2022, have been tied to a group tracked as Cicada, which is also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.
“Victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America,” researchers from the Symantec Threat Hunter Team, part of Broadcom Software, said in a report shared with The Hacker News.
“There’s a heavy focus on victims within the government and non-governmental sectors with some organizations working in areas such as religion and education,” Brigid Gorman, senior information designer at Symantec Threat Hunter Team told The Hacker News.
Most of the target organizations are in the U.S.A., Canada and Hong Kong. One victim is in Japan. The adversary spent as much as nine months in some cases on the victims’ networks.
“There are also some victims in the telecoms, legal and pharmaceutical sectors, but governmental and non-profit organizations appeared to have been the main focus in this campaign,” Gorman added.
In March 2021, Kaspersky researchers took the wraps off an intelligence-gathering operation undertaken by the group to deploy information-gathering implants from a number of industry sectors located in Japan.
Stone Panda was then implicated in an organised supply chain attack against Taiwan’s financial system with the aim of stealing sensitive data from compromised systems.
The new set of attacks observed by Symantec commences with the actors gaining initial access by means of a known, unpatched vulnerability in Microsoft Exchange Servers, using it to deploy their backdoor of choice, SodaMaster.
“However, we did not observe the attackers exploiting a specific vulnerability, so we cannot say if they leveraged ProxyShell or ProxyLogon [flaws],” Gorman said.
SodaMaster is a Windows-based remote access trojan that’s equipped with features to facilitate the retrieval of additional payloads and exfiltrate the information back to its command-and-control (C2) server.
A number of other tools were used during infiltrations, including the Mimikatz credential dumping tool, NBTScan for internal reconnaissance, WMIExec to execute remote commands, and VLC Media Player which launches a custom loader to infect the host.
“This campaign with victims in such a large number of sectors appears to show the group is now interested in a wider variety of targets,” Gorman said.
“The sorts of organizations targeted — nonprofits and government organizations, including those involved in religious and education activity — are most likely to be of interest to the group for espionage purposes. The sort of activity we see on victim machines and past Cicada activity also all point to the motivation behind this campaign being espionage. “