Chinese Earth Krahang hackers breach 70 orgs in 23 countries

Chinese Earth Krahang hackers breach 70 orgs in 23 countries

March 18, 2024 at 04:53PM

Summary: A sophisticated hacking campaign by the Chinese APT group Earth Krahang has targeted 70 organizations in 45 countries since early 2022, primarily focusing on government entities. The attackers exploit vulnerabilities and use spear-phishing to deploy custom backdoors for cyber espionage, abusing breached government infrastructure to target other governments and deploy malware and tools for data collection.

The meeting notes outline a sophisticated hacking campaign attributed to a Chinese APT group known as ‘Earth Krahang’, which has targeted 70 organizations across 45 countries, primarily focusing on government entities. The attackers exploit vulnerable servers and use spear-phishing emails to deploy custom backdoors for cyberespionage, targeting government email accounts and infrastructure.

The threat actors employ open-source tools to scan public-facing servers for vulnerabilities, deploy webshells to gain unauthorized access, and use spear-phishing emails to lure recipients into opening malicious attachments. Once inside a network, Earth Krahang uses compromised infrastructure to host malicious payloads, proxy attack traffic, and brute force credentials for email accounts. They also deploy VPN servers on compromised servers using SoftEtherVPN to access victims’ private networks and further their lateral movement.

The attackers deploy malware and tools such as Cobalt Strike, RESHELL, and XDealer, with the latter being a more sophisticated backdoor capable of capturing screenshots, logging keystrokes, and intercepting clipboard data. Trends Micro’s research suggests potential ties between Earth Krahang and the Chinese company I-Soon, indicating a dedicated task force for cyberespionage on government entities.

Overall, the report highlights the persistent and evolving nature of the Earth Krahang hacking campaign and provides insight into its tactics, techniques, and possible attribution to other threat actors and organizations.

Full Article