October 2, 2024 at 09:08PM
CeranaKeeper, a China-aligned threat actor, has conducted large-scale data exfiltration in Southeast Asia. ESET researchers found that the group has been active since early 2022, using tools associated with Mustang Panda and exploiting file-sharing services. They breached Thai government systems and conducted extensive data harvesting, demonstrating rapid evolution and persistence.
Based on the meeting notes, the key takeaways are:
1. An emergent threat actor known as CeranaKeeper, aligned with China, has been conducting a massive data exfiltration effort across Southeast Asia. They have recently targeted government institutions in Thailand through a barrage of cyberattacks.
2. ESET researchers have identified CeranaKeeper’s activities since early 2022. The group has been utilizing components common with the Chinese-backed APT group Mustang Panda, in addition to developing new tools to undermine legitimate file-sharing services.
3. CeranaKeeper gained access to Thai government systems through a brute-force attack against a local area network domain control server in mid-2023. Once inside, they deployed the Toneshell backdoor, a credential dumping tool, and abused a legitimate Avast driver to disable security protections.
4. ESET has observed CeranaKeeper as a “relentless,” rapidly evolving, and nimble threat group. They continuously evolve their toolset to avoid detection and focus on massive data harvesting.
5. The Chinese government is known to support APT groups like Mustang Panda and CeranaKeeper for espionage and other cybercrimes.
These takeaways provide a clear summary of the CeranaKeeper threat actor’s activities and their connection with the Chinese government-aligned APT groups.