A new cyber espionage campaign orchestrated by a Chinese Advanced Persistent Threat (APT) group called Earth Krahang has terrorised various government entities globally.
Based on reports, these activities have infiltrated 70 organisations in about 23 countries, with approximately 116 entities targeted across 45 nations. The attackers’ primary objective is breaching and compromising Foreign Affairs ministries.
Researchers stated that these operations started as early as 2022. The campaign employed a multifaceted approach, which allowed the hackers to exploit vulnerabilities in internet-facing servers and conduct spear-phishing tactics to deploy custom backdoors.
The Earth Krahang APT group capitalised on open-source tools to exploit specific vulnerabilities.
According to investigations, the Earth Krahang APT group leveraged open-source tools to meticulously scan public-facing servers for specific vulnerabilities such as CVE-2023-32315 and CVE-2022-21587.
Once identified, these hackers attach webshells to acquire unauthorised access and establish persistence within the compromised networks. Alternatively, they utilised spear-phishing emails that contained geopolitical themes to lure recipients into activating the malicious attachments or clicking on embedded links.
Earth Krahang executes the cyberespionage campaign by exploiting compromised infrastructure. They could then disseminate malicious payloads, proxy attack traffic, and co-opt hacked government email accounts to perpetrate further spear-phishing operations.
Further study also uncovered instances where the attackers hijacked government mailboxes to distribute malware-laden attachments to hundreds of internal email addresses within the same impacted entity.
The group accomplished these attacks using sophisticated tools like Cobalt Strike, RESHELL, and the XDealer. The latter malware has shown capabilities that use cyber subversion and can infiltrate Linux and Windows systems with alarming efficacy.
Previous research about XDealer stated that it could capture screenshots, log keystrokes, and intercept clipboard data.
Speculations claim that there is a connection between Earth Krahang and the China-nexus actor Earth Lusca. However, subsequent studies have presented Earth Krahang as an independent threat group despite signs that it has affiliations with the Chinese conglomerate I-Soon, which is also notorious for funding state-sponsored cyber espionage.
The revelations surrounding Earth Krahang’s recent campaign highlight the urgent need for enhanced cybersecurity measures. Therefore, government agencies globally should be cautious with such attacks since they are the primary target of this rampaging APT group.
