Government agencies were attacked either by two hacker groups or by one, combining several divisions.
A series of cyberattacks on Russian authorities in 2020 could have been carried out by several hacker groups funded by the Chinese government.
A new report by information security company Group-IB provides a detailed analysis of the Webdav-O malware used in the attacks. According to the report, the malware has much in common with the popular BlueTraveller Trojan associated with the Chinese cybercriminal group TaskMasters and used in cyber espionage operations aimed at stealing confidential documents.
According to the authors of the report, Chinese APTs are among the most numerous and aggressive cybercriminal groups in the world. Most often, they attack government departments, industrial enterprises, military contractors and research institutes. The main goal of hackers is espionage – attackers gain access to confidential data and try to hide their presence on the victim’s networks for as long as possible.
Group-IB’s report is based on several incidents publicly disclosed this May by Solar JSOC and SentinelOne. Both companies talked about the Mail-O malware used in attacks on the heads of Russian government agencies in order to gain access to their accounts in Mail.ru services. SentinelOne has linked this malware with other known PhantomNet / SManager malware from the TA428 group’s arsenal.
The new report describes the Webdav-O sample uploaded to VirusTotal in November 2019 and has a lot in common with the sample described by Solar JSOC. However, the version of the malware presented in the report is a newer, partially improvised version with new functions. This malware also has similarities to the BlueTraveller Trojan. In particular, much in common was found in the source code and command processing mechanisms of both malware.
A detailed analysis of the TA428 toolkits has shown that BlueTraveller has a lot in common with the Albaniiutas malware, which was ranked in the group’s arsenal in December 2020. In other words, both Albaniiutas and Webdav-O are updated versions of BlueTraveller.
“It is noteworthy that Chinese hacker groups are actively exchanging tools and infrastructure, and perhaps this is the case. This means that one Trojan can be configured and modified by hackers from different groups with different levels of training and pursuing different goals, ”the researchers explained.
According to experts, Russian government agencies were attacked in 2020 either by two groups, TA428 and TaskMasters, or by one group that combines several units.
Catch up on more stories here
Follow us on Facebook here