December 12, 2023 at 08:48AM
Sandman, an APT actor recently identified, is linked to China, as per a report by SentinelOne, Microsoft, and PwC. Their sophisticated modular backdoor, LuaDream, was highlighted in attacks on telecom providers in the Middle East, Europe, and South Asia. The report links Sandman to China-based threat actor STORM-0866/Red Dev 40 and their use of the KeyPlug backdoor. Overlaps in infrastructure and tactics suggest shared development and indicate potential shared control practices. Use of digital certificates, IPs, and other factors have helped identify these APTs and their connections. This indicates the adoption of the Lua development paradigm by a broader set of cyberespionage threat actors. It also emphasizes the complex nature of the Chinese threat landscape.
Based on the meeting notes, it is evident that the Sandman advanced persistent threat (APT) actor has been linked to China, as stated in a joint report by SentinelOne, Microsoft, and PwC. Sandman was highlighted at the LABScon security conference due to its use of the sophisticated modular backdoor LuaDream, developed using the cross-platform programming language Lua. Initially targeting telecom providers in the Middle East, Europe, and South Asia for cyberespionage purposes, Sandman’s activity was not initially linked to any known APTs.
The joint report establishes connections between Sandman APT attacks and the activities of STORM-0866/Red Dev 40, a suspected China-based threat actor known to be using the KeyPlug backdoor. This backdoor was initially associated with Chinese state-sponsored group APT41 but has since been identified in use by other developing clusters, including STORM-0866/Red Dev 40, indicating its sharing among multiple Chinese threat actors.
The investigation uncovered overlaps in functionality and design between LuaDream and KeyPlug, suggesting shared development and infrastructure control and management practices among the threat actors. Digital certificates, IPs, cloud-based reverse proxy infrastructure, hosting providers, and domain naming conventions were used to link the APTs, along with the use of identical encrypting keys, similar high execution flaws, and direct overlaps in implementation.
The joint findings suggest strong overlaps in operational infrastructure, targeting, and TTPs associating Sandman APT with China-based adversaries using the KeyPlug backdoor, particularly STORM-0866/Red Dev 40, demonstrating the complex nature of the Chinese threat landscape.
These are some recommendations and potential action items that can be derived from the meeting notes:
1. Strengthen cyber defenses against backdoor attacks by threat actors known to use Lua-based malware, particularly those associated with China-based adversaries.
2. Conduct further analysis of digital certificates, IPs, cloud-based reverse proxy infrastructure, hosting providers, and domain naming conventions to identify potential indicators of compromise (IOC).
3. Collaborate with security researchers and industry experts to monitor and mitigate the risk posed by the Sandman APT and its associated threat actors.
4. Stay informed about the evolving threat landscape in China’s offensive cyber operations and adapt security measures accordingly.
I hope this analysis helps provide clear takeaways from the meeting notes. Let me know if you need any further assistance or if there are additional tasks to be addressed.