Full Report
Security researchers from the threat hunting and intelligence company Group-IB have revealed that in 2020, at least two espionage groups from China targeted the Russian Federal authorities. Chinese espionage groups... The post Researchers Perform An Analysis on Chinese Malware Used Against Russian Government appeared first on Hacker Combat.
Analysis Summary
# Threat Actor: Chinese Espionage Groups (TaskMasters and TA428)
## Attribution & Identity
* **Attribution:** Chinese espionage groups linked to the Chinese government, potentially operating from intelligence units of the People’s Liberation Army of China (PLAC).
* **Known Aliases and Associated Groups:** TaskMasters and TA428. Group-IB suggests these might be sub-units of a single, larger Chinese hacker group.
* **Associations:** The actors exchange infrastructure and tools across known Chinese APT groups.
## Activity Summary
* **Historical Activities:** TaskMasters has been active since 2013, targeting organizations in Russia and the CIS region. TA428 has been operating since 2013, focusing primarily on East Asian government agencies.
* **Recent Campaigns (2020):** Both TaskMasters and TA428 are implicated in targeting Russian Federal authorities in 2020.
* **Specific Incident:** Attempted compromise of Russian federal officials’ emails using the Mail-O malware, aiming to steal confidential data, including classified documents belonging to top federal executives.
* **Other Activity:** In late 2018, Russian financial sectors reportedly suffered significant losses due to cyber-attacks attributed to these actors.
## Tactics, Techniques & Procedures
* **Evasion & Stealth:** Utilizing undetectable malware, legal utilities, and a thorough understanding of government data protection tools to remain hidden for years, often downloading gigabytes of data without detection.
* **Persistence/Execution:** TaskMasters is named for its ability to create tasks in the Windows Task Scheduler to execute commands or run software at specific times.
* **Data Exfiltration:** Stealing and plundering classified documents and executive emails.
* **MITRE ATT&CK Indicators (Implied):** Tactics likely include Execution, Persistence, Defense Evasion, and Exfiltration.
## Targeting
* **Sectors:** State agencies, official federal authorities (Russian), research institutes, military contractors, government agencies (Russia and East Asia), transport companies, and industrial/energy firms.
* **Geography:** Russia and CIS countries (TaskMasters focus); East Asian government agencies (TA428 focus).
* **Victims:** Russian Federal authorities, top federal executives, Russian financial sector organizations.
## Tools & Infrastructure
* **Malware Families Used:**
* **Mail-O:** Used in the 2020 attacks against Russian government agencies for email access.
* **WebDAV-O:** Used to gain remote access and steal data; similarities noted with BlueTraveller.
* **BlueTraveller (RamShell):** Associated with TaskMasters; similarities found with WebDAV-O.
* **Albaniiutas:** A novel malware family believed to be a continuation of BlueTraveller, found in TA428’s portfolio.
* **Manager/PhantomNet:** Previously associated with similar activity by SentinelOne.
* **Infrastructure:** Evidence suggests these groups exchange and share infrastructure.
## Implications
These Chinese APT groups are characterized as numerous, aggressive, and highly skilled, capable of maintaining long-term, undetected espionage operations within sensitive government networks. The apparent sharing of infrastructure and malware evolution (e.g., BlueTraveller to Albaniiutas) suggests a coordinated, well-resourced state-sponsored effort focused on intelligence gathering against strategic geopolitical rivals.
## Mitigations
* Implement advanced Endpoint Detection and Response (EDR) solutions capable of detecting subtle anomalies, including the use of legitimate system utilities for malicious purposes.
* Strict monitoring of Task Scheduler activity for unusual executions or persistence mechanisms.
* Enhance monitoring for data exfiltration volumes, particularly against high-value targets like executive email systems.
* Routinely audit IT infrastructure setup for evidence of shared toolsets or C2 infrastructure overlaps across different reported APT groups.