APT15: Researchers at Lookout have discovered a multi-year hacking campaign that targeted the Uighur ethnic minority in Western China and the Tibetan community. The campaign targeted these individuals with malware that allowed government threat actors to keep an eye on the activities of minority communities within China’s borders and in at least 14 other countries. Lookout stated that it attributed these attacks to APT15 by using Android malware that has been previously used by APT15 and the use of shared infrastructure between the new tools and the original Android tool they analyzed. APT15 has been known in the past to use tools designed to infect Windows desktops as well as Android devices. Four new hacking tools were discovered that were named SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle. Furthermore, researchers discovered an unsecured Command and Control (C2) server for GoldenEagle, which they analyzed and found that the victims during the early stages of the infections were all located around the building of the Xi’an Tianhe Defense Technology Company. It is believed that these early infections surrounding the company were used as tests during the development phase, leading Lookout to believe the malware was developed by the Defense Technology company, and that they were hired by Chinese Government Intelligence to share information on the location of its victims.
Analyst Notes
If the allegations from Lookout are correct that the malware was created by the Defense Technology Company, it would not be the first time a Chinese APT was linked to a contractor in China. It is common for Chinese contractors to provide hacking services as a way to cover the Chinese Government—if the group is ever outed, the government can deny association. Based on research at other companies, the Chinese Ministry of State Security outsources its hacking operations to contractors who reportedly take directions directly from Chinese intelligence officials. The Chinese government has always been interested in surveilling the activities of ethnic minorities in their border communities and surrounding countries, and this new malware used for these tasks comes as no surprise.
More can be read here: https://www.zdnet.com/article/connection-discovered-between-chinese-hacker-group-apt15-and-defense-contractor/
