World News

Cyber Group with Chinese Ties Conducts Espionage on South China Sea Nations

A new cyber threat actor, suspected of ties to China, has been targeting military and government organizations in the South China Sea countries since 2018, according to Romanian cybersecurity company Bitdefender.

Bitdefender researchers named the threat actor “Unfading Sea Haze” and noted that its operations are aligned with China’s geopolitical interests, with attacks focusing on espionage, according to their report published on May 22. “The targets and nature of the attacks suggest alignment with Chinese interests,” the report reads.

The group had created “a sophisticated arsenal of custom malware and tools,” the researchers noted, with one of its techniques being found to overlap with that of a well-known China-back espionage group APT41.

“No other overlaps with APT41’s known tools were identified. This single similarity could be another indication of shared coding practices within the Chinese cyber threat scene,” the report reads.

ATP41 is one of many known Chinese Advanced Persistent Threats (APTs) that have carried out malicious cyber activities targeting Western institutions, companies, and governments. Others have included APT10 and APT40. Currently, five Chinese nationals from APT41 are on the FBI’s wanted list, after they were indicted in 2020 on charges relating to hacking campaigns to steal trade secrets and sensitive information from more than 100 companies and entities worldwide.

Unfading Sea Haze targeted at least eight victims, including mostly military and government targets since 2018, the report stated, and it “repeatedly regained access to compromised systems.”

Related Story

China-Backed Cyber Espionage Group APT41 Turns to Financial Crime, Report Says

One method the group used to infiltrate target systems was sending spear-phishing emails with malicious ZIP archives. “These archives contained LNK files disguised as regular documents. When clicked, these LNK files would execute malicious commands,” the report reads.

Some of the ZIP archive names included “Data,” “Doc,” and “Startechup_fINAL,” according to the report.

The threat group’s attackers began using new ZIP archive names in March 2024, including “Assange_Labeled_an_‘Enemy’_of_the_US_in_Secret_Pentagon_Documents102“ and “Presidency of Barack Obama.” Other ZIPs were misleadingly named as installers, updaters, and documents of Microsoft Windows Defender.

After gaining access to targeted systems, Unfading Sea Haze used “a combination of custom and off-the-shelf tools” to collect data.

One custom tool is a keylogger named “xkeylog” to capture keystrokes on victim machines. Another custom tool is a browser data sealer to target data stored in Google Chrome, Firefox, Microsoft Edge, or Internet Explorer.

A third custom tool allowed Unfading Sea Haze to monitor the presence of portable devices on compromised systems. “[T]he tool checks for portable devices every 10 seconds. If a WPD or USB is mounted, it gathers details about the device, and sends them using HTTP GET request to an attacker-controlled server,” the report explains.

Unfading Sea Haze also collected data from messaging apps including Telegram and Viber, according to the report. Additionally, the group also used the RAR compression tool to manually collect data.

“This blend of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage campaign focused on acquiring sensitive information from compromised systems,” the report reads.

The threat group went undetected for over five years, a phenomenon the report said “is particularly concerning” and the attackers “demonstrated a sophisticated approach to cyberattacks.”

The researchers said they publicized their findings because they “want to help the security community with the knowledge to detect and disrupt their espionage efforts.”

The report ended with some recommendations on how to mitigate risks posed by Unfading Sea Haze and other similar threat actors. Prioritizing patch management, enforcing strong password policies, monitoring network traffic, and collaborating with the cybersecurity community are among the tips offered by Bitdefender researchers.

China is currently in dispute with Brunei, Malaysia, the Philippines, Vietnam, and Taiwan in a territorial dispute over reefs, islands, and atolls in the South China Sea. A 2016 international ruling rejected Beijing’s “Nine-dash line” claim to about 85 percent of the South China Sea’s 2.2 million square miles.
In February, the Philippines announced that hackers based in China tried unsuccessfully to break into the country’s websites and e-mail systems of the president and government agencies.

Source link


I'm TruthUSA, the author behind TruthUSA News Hub located at With our One Story at a Time," my aim is to provide you with unbiased and comprehensive news coverage. I dive deep into the latest happenings in the US and global events, and bring you objective stories sourced from reputable sources. My goal is to keep you informed and enlightened, ensuring you have access to the truth. Stay tuned to TruthUSA News Hub to discover the reality behind the headlines and gain a well-rounded perspective on the world.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.