A hacker group with links to China recently used Venezuela-themed phishing emails in a malware campaign targeting US government-related entities, as cyberattack campaigns increasingly leverage geopolitical materials, according to Swiss cybersecurity firm Acronis.
A malware campaign has used recent developments between the US and Venezuela as “thematic lures” to attack US government and policy-related entities with a back door that has espionage-focused capabilities, including basic remote tasking and data exfiltration, Acronis said in a report on Thursday.
The firm said that it attributed this activity to a group named Mustang Panda “with moderate confidence” based on certain infrastructural and operational patterns.
While Acronis did not identify Mustang Panda as a Chinese group, global cybersecurity research teams have described it as a China-based cyber threat actor.
It has been active since 2012 and has launched cyberattacks against organisations worldwide deemed adversaries of the Communist Party, according to Singapore-based cybersecurity firm Cyfirma.
The US Department of Justice (DOJ) in January last year called Mustang Panda a hacker group sponsored by the People’s Republic of China.
“China has consistently opposed and legally combated all forms of hacking activities, and will never encourage, support or condone cyberattacks,” a spokesperson at the Chinese embassy in Washington wrote in an emailed statement to the Post.
“China firmly opposes the dissemination of false information about so-called ‘Chinese cyber threats’ for political purposes,” the spokesperson said.
China and the US have in recent years increasingly pointed the finger at each other for conducting or sanctioning cyberattacks.
In October, China’s Ministry of State Security, the country’s top counter-espionage agency, accused the US National Security Agency (NSA) of attacking China’s national time centre.
It said that the NSA had exploited a security flaw that allowed it to secretly take control of the foreign-brand mobile phones of several staff at the time centre and steal sensitive data.
The campaign could have had a “severe impact” on the orderly functioning of the society, the ministry said.
In March last year, the US DOJ also said that Beijing had been orchestrating a “hacker for hire” ecosystem that employed private sector individuals to carry out cyberattacks to steal data worldwide.
The DOJ indicted 12 Chinese nationals, including two officials from China’s Ministry of Public Security, members of the alleged Beijing-backed hacking group APT27, and employees of a private Chinese firm named Anxun Information Technology Co Ltd, also known as i-Soon.
Mustang Panda’s latest campaign reflected a continued trend of using “geopolitical lures” for targeted phishing, Acronis said.
The firm investigated the campaign after seeing a file named “US now deciding what’s next for Venezuela.zip” that was uploaded for automated malware analysis from a US-based IP address.
While the malware itself “demonstrated limited technical sophistication”, Mustang Panda’s campaign showed that simple techniques could still be effective when paired with “targeted delivery” and “relevant geopolitical lures”, Acronis said.
Acronis was unable to know how many people the campaign had compromised, according to a spokesperson.
“Unless the attackers were to disclose it, there’s no way to determine how successful the campaign was,” the spokesperson said. -- SOUTH CHINA MORNING POST
