Cyber Group with Chinese Ties Conducts Espionage on South China Sea Nations
A new cyber threat actor, suspected of ties to China, has been targeting military and government organizations in the South China Sea countries since 2018, according to Romanian cybersecurity company Bitdefender.
Bitdefender researchers named the threat actor “Unfading Sea Haze” and noted that its operations are aligned with China’s geopolitical interests, with attacks focusing on espionage, according to their report published on May 22. “The targets and nature of the attacks suggest alignment with Chinese interests,” the report reads.
“No other overlaps with APT41’s known tools were identified. This single similarity could be another indication of shared coding practices within the Chinese cyber threat scene,” the report reads.
Unfading Sea Haze targeted at least eight victims, including mostly military and government targets since 2018, the report stated, and it “repeatedly regained access to compromised systems.”
Related Story
One method the group used to infiltrate target systems was sending spear-phishing emails with malicious ZIP archives. “These archives contained LNK files disguised as regular documents. When clicked, these LNK files would execute malicious commands,” the report reads.
Some of the ZIP archive names included “Data,” “Doc,” and “Startechup_fINAL,” according to the report.
The threat group’s attackers began using new ZIP archive names in March 2024, including “Assange_Labeled_an_‘Enemy’_of_the_US_in_Secret_Pentagon_Documents102“ and “Presidency of Barack Obama.” Other ZIPs were misleadingly named as installers, updaters, and documents of Microsoft Windows Defender.
After gaining access to targeted systems, Unfading Sea Haze used “a combination of custom and off-the-shelf tools” to collect data.
One custom tool is a keylogger named “xkeylog” to capture keystrokes on victim machines. Another custom tool is a browser data sealer to target data stored in Google Chrome, Firefox, Microsoft Edge, or Internet Explorer.
A third custom tool allowed Unfading Sea Haze to monitor the presence of portable devices on compromised systems. “[T]he tool checks for portable devices every 10 seconds. If a WPD or USB is mounted, it gathers details about the device, and sends them using HTTP GET request to an attacker-controlled server,” the report explains.
Unfading Sea Haze also collected data from messaging apps including Telegram and Viber, according to the report. Additionally, the group also used the RAR compression tool to manually collect data.
“This blend of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage campaign focused on acquiring sensitive information from compromised systems,” the report reads.
The threat group went undetected for over five years, a phenomenon the report said “is particularly concerning” and the attackers “demonstrated a sophisticated approach to cyberattacks.”
The researchers said they publicized their findings because they “want to help the security community with the knowledge to detect and disrupt their espionage efforts.”
The report ended with some recommendations on how to mitigate risks posed by Unfading Sea Haze and other similar threat actors. Prioritizing patch management, enforcing strong password policies, monitoring network traffic, and collaborating with the cybersecurity community are among the tips offered by Bitdefender researchers.
