China-based hacker groups target high-profile entities in Southeast Asia: Report

The Symantec Threat Hunter Team, in its December 2024 report, revealed a sophisticated espionage campaign targeting high-profile organisations across Southeast Asia.

The campaign has been linked to advanced persistent threat (APT) groups allegedly operating from China.

This revelation underscores the escalating cyber threat landscape in the region, highlighting the urgent need for robust cybersecurity measures and international cooperation.

Symantec’s analysis indicates that the espionage campaign primarily targeted government institutions, critical infrastructure providers, and key industries, including telecommunications, defence, and energy.

These sectors were likely chosen due to their strategic importance and the sensitive information they handle.

Such data, if compromised, could provide adversaries with significant geopolitical and economic advantages.

“The targeting pattern suggests a clear intent to gather intelligence that could be leveraged for strategic purposes,” said a Symantec spokesperson.

A Trend Micro blog post referenced in a Symantec report reveals that Earth Baku, originally focused on the Indo-Pacific region, has broadened its operations to Europe, the Middle East, and Africa.

The group has reportedly targeted countries such as Italy, Germany, the UAE, and Qatar, with potential activities also observed in Georgia and Romania.

Symantec also notes that Earth Baku has previously employed a tool called Rakshasa, which features simplified Chinese.

The Symantec report noted that APT groups also breached “a large U.S. organization with a significant presence in China” during a four-month-long intrusion that was detected on April 11 and continued until August.

The breach was the work of a China-based actor, based on available evidence, according to the report.

“The attackers moved laterally across the organization’s network, compromising multiple computers,” the report said, without disclosing the name of the victim organization.

“Some of the machines targeted were Exchange Servers, suggesting the attackers were gathering intelligence by harvesting emails. Exfiltration tools were also deployed, suggesting that targeted data was taken from the organizations,” the report added.

The report highlights that the attackers employed tailored strategies to infiltrate systems and maintain long-term access, a hallmark of APT operations.

Symantec’s investigation attributes the campaign to China-based APT groups, based on several indicators, including:

Tactics, Techniques, and Procedures (TTPs): The attackers used methods commonly associated with known Chinese APT groups, such as spear-phishing emails, supply chain compromises, and exploiting zero-day vulnerabilities.

Infrastructure overlaps: Symantec identified overlaps in command-and-control (C2) servers and tools used in previous campaigns linked to China-based actors.

Victimology: The focus on Southeast Asia aligns with China’s strategic interests in the region, including territorial disputes and economic initiatives like the Belt and Road Initiative (BRI).

While definitive attribution in cyberattacks remains challenging, the weight of evidence strongly points to Chinese APT involvement.

The espionage campaign employed a multi-faceted approach to breach its targets. Key methods included:

Spear-phishing emails: Customized phishing emails with malicious attachments or links were used to compromise initial access.

Exploitation of zero-day vulnerabilities: Attackers leveraged unpatched software vulnerabilities to infiltrate systems undetected.

Supply chain compromises: By targeting third-party vendors or service providers, attackers gained indirect access to their primary targets.

Advanced malware deployment: Once inside the network, the attackers deployed stealthy malware capable of evading detection, maintaining persistence, and exfiltrating sensitive data.

Symantec’s report highlights the use of custom malware tools like “Trojan.Gedscan” and “Backdoor.Shadowflame,” which were designed to adapt to the unique defences of each targeted organisation.

This espionage campaign has far-reaching implications for Southeast Asia and beyond:

National security risks: The breach of government and defence systems poses significant threats to national security, potentially exposing military strategies, diplomatic communications, and classified intelligence.

Economic impact: Targeting industries like energy and telecommunications can disrupt critical infrastructure, leading to economic instability and undermining investor confidence.

Geopolitical tensions: The campaign could exacerbate regional tensions, particularly in the context of ongoing territorial disputes in the South China Sea and other strategic areas.

Global cybersecurity concerns: The operation highlights the evolving sophistication of APT groups and the increasing need for international collaboration in combating cyber threats.

In light of the campaign, Symantec’s Threat Hunter Team provided several recommendations to mitigate the risks posed by such espionage activities, which include enhancing cybersecurity posture, updating patch management, ensuring supply chain security, hosting employee awareness training and boosting international cooperation.

Advanced persistent threat groups have long been a significant force in the cyber domain.

These state-sponsored or highly resourced entities conduct operations aimed at espionage, sabotage, or data theft to advance their nation’s strategic interests.

The focus on Southeast Asia in this campaign reflects the region’s growing geopolitical significance as a hub for trade, technology, and strategic military positioning.

China-based APT groups, in particular, have been linked to numerous high-profile cyber incidents over the past decade.

Their activities often align with China’s geopolitical objectives, including territorial claims, economic expansion, and technological advancement.

The latest campaign adds to a growing list of cyber operations targeting countries and organizations perceived to be pivotal to these goals.

The Symantec report serves as a wake-up call for Southeast Asia and the global community as it underscores the critical need for vigilance, innovation, and collaboration in the face of increasingly sophisticated cyber adversaries.