Full Report
Google Threat Intelligence Group said it developed means to counter the activity, which it linked to APT41. The post Chinese hackers used Google Calendar to aid attacks on government entities appeared first on CyberScoop.
Analysis Summary
# Threat Actor: APT41
## Attribution & Identity
Attributed with "high confidence" to the People’s Republic of China (PRC) Ministry of State Security (MSS).
Known aliases include: Wicked Panda, Winnti, and Double Dragon.
## Activity Summary
In late October of last year, Google Threat Intelligence discovered an exploited government website hosting malware targeting multiple other government entities. The group leveraged Google Calendar for Command and Control (C2) functionality to blend in with authentic activity. This specific campaign involved delivering malware dubbed TOUGHPROGRESS via spearphishing emails hosted on the compromised government site, alongside decoy files/PDFs.
## Tactics, Techniques & Procedures
- Misuse of legitimate cloud services (Google Calendar) for Command and Control (C2).
- TOUGHPROGRESS malware is capable of reading and writing events via an attacker-controlled Google Calendar.
- Commands are encrypted and placed on specific past dates in the Calendar; the malware polls the Calendar, decrypts the event, executes the command, and writes encrypted responses back to another Calendar event.
- Delivery via spearphishing emails hosted on an exploited website.
- The ultimate goal of C2 abuse is to blend in with legitimate activity.
## Targeting
- Sectors: Government entities are the primary victims mentioned in this specific reporting. More broadly, APT41 targets include entertainment, technology, and automotive sectors.
- Geography: Not explicitly detailed for this specific campaign, but the actor is state-sponsored by the PRC. The DOJ previously linked campaigns to hundreds of targets in the United States and elsewhere.
- Victims: Multiple government entities in the latest campaign.
## Tools & Infrastructure
- Malware families used: TOUGHPROGRESS.
- Infrastructure: Attacker-controlled Google Workspace projects and Google Calendars used for C2.
## Implications
APT41 continues to demonstrate innovation in operational security and evasion, specifically by abusing widely used, legitimate cloud services like Google Calendar for resilient C2 infrastructure. This tactic significantly raises the bar for security monitoring as C2 traffic blends seamlessly with normal user activity. The group maintains a broad targeting scope, indicating a sustained state-sponsored espionage and potential profit-driven mission set.
## Mitigations
- Develop custom fingerprints to identify and take down attacker-controlled Calendars (as implemented by Google).
- Terminate attacker-controlled Workspace projects.
- Update file detections and block malicious domains/URLs via blocklists like Google Safe Browsing (or equivalent enterprise solutions).
- Enhanced monitoring for anomalous use of legitimate cloud services (like Calendar) for non-standard data transfer or polling activities.