“We’ve tracked it back to previous TTP [tactics, techniques, procedures] known to be associated with Chinese groups,” Mr Hussey said.
Analysis of the code shows it was made using a software writer called RoyalRoad, often tied back to China-based, or sometimes Russian, groups.
“But as we really dug into it, the type of exploit used, the name of the files and the forensic artefacts left on the system were very similar, or even identical, to previously identified Chinese-based attacks,” Mr Hussey said.
Attached document
“If there’s a meeting, they’re going to want to know as much as they can before this meeting happens, and they can do that by monitoring the emails or locations … so that basically by the time the meeting happens, they already know everything that’s going to be said, they have all the talking points, and they’re prepared.”
The attached document claimed to be a series of action statements from the Hiroshima G7 meeting in mid-May related to food security, as well as security issues such as the South China Sea, and was 40 pages long.
Hidden within the highly professional document are policy points which China often pushes, including strict adherence to the One China policy and pushback against force being used in the South China Sea.
Mr Hussey, a former US Federal Bureau of Investigation senior digital forensic analyst, leads SentinelOne’s intelligence and threat-hunting business WatchTower. He said that after the email campaign came to their attention, the firm did additional research on the dark web, took samples of malware and reverse engineered them to reach the conclusion it was likely coming from within China.
“If it’s an intel organisation, they’re likely looking for locations of high-level targets, what they’re doing, what their emails are producing intel gathering or, if it’s financially motivated, they’re looking for ransomware or other kind of financial motivations,” he said.
“What leads us to China, it starts with the victimology, so whose being targeted? These government officials.”
The file names and techniques used, as well as the time and money spent creating such an extensive document, would point to this not being a standard cybercriminal group, Mr Hussey said.
Once the Word doc is opened, it installs an Information Stealer, or infostealer, malware designed to steal information, including passwords, keystrokes, network activity and other information to send back to the hackers. The hackers used a 23-year-old corruption issue with Microsoft Office. Once the malicious document is opened it gives the hackers remote access to the compromised system.
A Department of Foreign Affairs and Trade spokesman said it “employs a range of robust cybersecurity controls in line with the government’s Essential Eight cybersecurity framework. The department’s cybersecurity capability defends the department’s computer network from attacks, including email phishing campaigns.”
Quad a likely target
SentinelOne Australia and New Zealand regional director Jason Duerden said ransomware attacks by cybercriminal gangs had been rife in the past 12 months. His firm has a policy group focusing on ransomware in the Quadrilateral Security Dialogue, the alliance between Australia, the US, Japan and India.
“We do say nations who are potentially against the Quad, the criminal groups that sit within those countries, are more likely to then attack after certain announcements,” Mr Duerden said.
The Australian Cyber Security Centre, which sits with the Australian Signals Directorate, said it was concerned by the “increased scale and severity of malicious cyber activity by state and non-state actors”.
“The Australian Signals Directorate’s Australian Cyber Security Centre provides technical advice and strategies to mitigate cybersecurity incidents caused by various cyber threats, including those conducted by advanced persistent threats such as state actors,” an ACSC spokesman said.
“The Australian government will continue to deter and respond to malicious actors threatening our national interests, including attributing malicious cyber activity when it is in our interests to do so.”
In April, the Australian Security and Intelligence Organisation revealed there was a genuine threat of people in parliament, the public service, defence and the judiciary being compromised by hostile powers.
“They are targeting our security clearance holders, those with access to Australia’s most privileged information, capabilities and secrets,” ASIO said in a submission to a legislative review.
“Since the announcement of AUKUS, there has been a distinct uptick in the online targeting of people working in Australia’s defence industry.”
Last week, Google-owned cybersecurity group Madiant reported what it suspected as China state-backed hackers exploiting a security flaw in Barracuda Networks, a popular email security program, to break into the networks of hundreds of public and private sector organisations across the world.
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : Australian Financial Review – https://www.afr.com/technology/chinese-hackers-use-g7-ruse-to-target-australian-government-officials-20230615-p5dgqq
