China-Linked APT15 Targets Foreign Ministries With ‘Graphican’ Backdoor
Introduction
The Chinese hacking group APT15, also known as Flea, KE3CHANG, Nickel, Playful Dragon, Royal APT, and Vixen Panda, has been identified as targeting foreign affairs ministries in the Americas with a new backdoor named Graphican. This information comes from Symantec, an anti-malware vendor that has been monitoring the group’s activities.
The Attack Campaign
Symantec reported that the APT15 group ran an attack campaign from late 2022 to early 2023. During this campaign, they utilized the Graphican backdoor in conjunction with other living-off-the-land tools. The Graphican backdoor has similar functionality to the Ketrican backdoor used in previous attacks by APT15 but uses the Microsoft Graph API to connect to OneDrive and retrieve command-and-control information.
Technical Capabilities
Graphican is capable of performing various actions based on commands received from the command-and-control server. These actions include creating an interactive command line, creating and downloading files, and creating processes with hidden windows. The group also used other tools such as Ewstew backdoor, web shells, and publicly available tools like Mimikatz, Pypykatz, Safetykatz, Lazagne, Quarks PwDump, SharpSecDump, K8Tools, and EHole.
Motives and Targets
The APT15 group has been active since at least 2004 and is believed to be well-resourced. Symantec suggests that the group is likely sponsored by the Chinese government. Their goal appears to be gaining persistent access to the networks of their targeted victims, including governments, diplomatic missions, human rights organizations, embassies, and think-tanks in Central and South America, the Caribbean, Europe, and North America.
Symantec also notes that the group’s targets in this campaign, specifically ministries of foreign affairs, indicate a likely geopolitical motive behind their actions. The group’s activities suggest an interest in intelligence gathering and information from foreign governments.
Exploitation of Vulnerabilities
During the campaign, APT15 was observed exploiting a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) that was patched in August 2020. This vulnerability, known as Zerologon or CVE-2020-1472, allows unauthenticated attackers to run a specially crafted application on a device on the network.
Attribution and Conclusion
Symantec’s research and analysis indicate that the APT15 group is a large and well-resourced hacking group likely sponsored by the Chinese government. Their activities, targeting foreign affairs ministries and other government entities, point to a geopolitical motive behind their campaign.
Security Implications
APT15‘s activities highlight the ongoing cybersecurity threats posed by nation-state-sponsored hacking groups. The use of sophisticated backdoors and a range of tools make it challenging for organizations to defend against such attacks. Organizations, especially those handling sensitive information and engaged in geopolitically sensitive activities, should take steps to enhance their cybersecurity measures.
- Implement robust endpoint protection measures: Organizations should deploy advanced anti-malware solutions that can effectively detect and prevent the installation of backdoors, such as Graphican.
- Maintain up-to-date system patches: Regularly applying security patches can help mitigate the risk of exploitation of known vulnerabilities, as seen with APT15‘s exploitation of the Zerologon vulnerability.
- Enable multi-factor authentication: Implementing multi-factor authentication on critical systems and services can significantly reduce the risk of unauthorized access, even if credentials are compromised.
- Enhance employee cybersecurity awareness: Educate employees about the risks of phishing attacks and social engineering techniques commonly used by hackers. Awareness training can help employees identify and report suspicious activities.
Philosophical Discussion
The activities of hacking groups like APT15 raise fundamental questions about the ethics and morality of cyber espionage and state-sponsored hacking. While governments have historically engaged in intelligence gathering, the digital age has intensified the scale and scope of these activities. It is crucial for policymakers, civil society, and the general public to engage in a broader philosophical discussion about the acceptable boundaries of cyber espionage.
Editorial: The Need for International Cooperation
The rise of nation-state-sponsored hacking groups, like APT15, underscores the importance of international cooperation in addressing cybersecurity threats. Governments and international organizations must collaborate to establish norms and regulations that govern cyber activities and deter malicious actors. Building trust through information sharing and joint cybersecurity exercises can help create a more secure and resilient digital landscape.
Furthermore, increased transparency and accountability by governments can lead to more meaningful conversations about the boundaries of cyber espionage and the protection of human rights in cyberspace.
It is critical for governments and organizations to prioritize cybersecurity and invest in the necessary resources to defend against ever-evolving cyber threats. Only through international collaboration and concerted efforts can we effectively safeguard our digital infrastructure and protect the integrity of our institutions.
<< photo by wu yi >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- How the Chinese-backed APT group ‘Volt Typhoon’ infiltrated US critical infrastructure organizations
- Lancefly APT: Examining the Long-Running Cyber Espionage Campaign Against Asian Government Organizations
- “US Uncovers Russian Cyber Espionage Network Operating Across Multiple Nations.”
- Racing Against the Camaro Dragon: Battling USB-Driven Self-Propagating Malware
- Unleashing the Power of Red Zone Threat Intelligence: Safeguarding Organizations in the Digital Age
- The Unseen Threat: A Closer Look at the Ongoing iOS Spy Campaign
- AI to the Rescue: Unmasking Data Exfiltration with Machine Learning
- The Rising Threat: Condi Malware Hijacks TP-Link Wi-Fi Routers for Massive DDoS Botnet Attacks
- Building a Secure Bridge: NineID Raises $2.6M to Strengthen Corporate Security in the Digital Age
- 20-Year-Old Chinese APT15: A Resurgent Threat Targeting Foreign Ministries
- Apple’s Emergency Response: Battling Alleged Spyware Vulnerability