Ongoing Cyber Espionage Activities by Chinese Threat Actors
TL;DR
A new cluster of cyber activities, tracked by Palo Alto Networks’ Unit 42 as CL-UNK-1068, targets critical infrastructure in Asia. The attackers predominantly use custom malware tools, web shells, and sophisticated techniques for cyberespionage.
Main Analysis
Palo Alto Networks has been monitoring a cluster of sinister activities known as CL-UNK-1068 since 2020, exhibiting a pattern of targeting high-value sectors in South, Southeast, and East Asia, including government, aviation, and pharmaceuticals. Unit 42 assesses with high confidence that a Chinese threat actor is behind this campaign, based on the tools used and linguistic indicators in the malware. The group appears to focus primarily on cyberespionage, though motivations related to cybercrime are not entirely ruled out.
The attackers employ a diverse range of techniques and tools for gaining initial access and maintaining persistence in compromised networks. They often utilize web shells, such as GodZilla and variants of AntSword, predominantly written in English and Simplified Chinese, which allows them to execute commands on targeted environments. After achieving foothold, they can move laterally and exploit SQL servers to access sensitive data. For example, attackers commonly exfiltrate various configuration files from web servers, leveraging commands to archive and encode data for output via web shells, thus avoiding direct file downloads.
The group’s toolset exhibits versatility, operating across both Windows and Linux systems. They make extensive use of legitimate applications for DLL-side loading and employ customized malware such as Xnote, as well as known utilities like Mimikatz for credential theft. Their operational behavior includes deploying custom scripts to gather system information and clearing logs to cover their tracks. As illustrated in various figures accompanying the report, their tactics demonstrate a meticulous approach to both stealth and efficiency.
Defensive Context
Organizations operating within critical infrastructure sectors, particularly those in South and East Asia, are at increased risk from the activities of the CL-UNK-1068 threat actor. Given the sophisticated nature of their attacks, these entities should be vigilant. The specific targeting of systems utilizing commonly used technologies like SQL servers and web applications makes them prime candidates for exploitation.
Why This Matters
The focused nature of the attacks highlights a real-world risk for sectors involved in vital infrastructure, which could impact national security and public safety. Organizations in healthcare, government, and technology should prioritize monitoring actions associated with the tactics identified in CL-UNK-1068, particularly around credential theft and unauthorized access to sensitive data.
Defender Considerations
Defensive actions should be guided explicitly by the behavioral indicators associated with this group, such as the use of web shells like GodZilla as initial access points, the deployment of specific malware for credential theft, and the execution of custom batch scripts for reconnaissance and lateral movement.
Environment Exposure
This threat cluster is relevant whenever critical infrastructure systems are involved, especially those running web servers and SQL databases. However, entities without such technological footprints may not be as immediately at risk.
Indicators of Compromise (IOCs)
IP Addresses:
- 13.250.108.65
- 43.255.189.67
- 52.77.253.4
- 79.141.169.123
- 107.148.33.60
- 107.148.51.251
- 107.148.130.22
File Hashes:
- SHA256 for web shells, credential dumping tools, and malware components (as detailed in the article).
