December 11, 2023 at 09:12AM
The enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster are found to share tactical and targeting overlaps, utilizing a backdoor known as KEYPLUG. The assessment from SentinelOne, PwC, and Microsoft reveals shared infrastructure control, management practices, and design, suggesting joint functionalities. Alongside, the use of Lua-based malware suggests an evolving trend in threat actor strategies.
Based on the meeting notes provided, here are the key takeaways:
1. Tactical and targeting overlaps have been discovered between the advanced persistent threat (APT) called Sandman and a China-based threat cluster using the KEYPLUG backdoor.
2. The joint assessment by SentinelOne, PwC, and Microsoft Threat Intelligence team highlights the cohabitation of LuaDream and KEYPLUG in the same victim networks.
3. Microsoft and PwC are tracking the activity under the names Storm-0866 and Red Dev 40, respectively.
4. Sandman, identified by SentinelOne, has been targeting telecommunication providers in the Middle East, Western Europe, and South Asia using the LuaDream implant.
5. Storm-0866/Red Dev 40 is an emerging APT cluster primarily targeting entities in the Middle East and South Asia, using the KEYPLUG backdoor.
6. Both Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, hosting provider selections, and domain naming conventions, suggesting shared functional requirements by their operators.
7. Commonalities between LuaDream and KEYPLUG include shared protocols for C2 communications, similar high-level execution flows, and the adoption of uncommon programming languages to evade detection.
These takeaways provide a clear understanding of the overlap and shared characteristics between Sandman and the China-based threat cluster using the KEYPLUG backdoor, emphasizing the complex nature of the Chinese threat landscape.