Dive Brief:
- Hackers working for an Asian government have breached at least 70 government agencies and critical infrastructure organizations in 37 countries over the past year as part of an espionage campaign likely aimed at collecting information about rare earth minerals, trade deals and economic partnerships, Palo Alto Networks said in a report published on Thursday.
- “While this group might be pursuing espionage objectives,” researchers with the company’s Unit 42 group wrote in the report, “its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services.”
- The security firm provided indicators of compromise and described the threat actor’s techniques and infrastructure.
Dive Insight:
In addition to penetrating targets in 37 countries — including law-enforcement agencies, finance ministries and trade departments — the threat actor has cast a much wider net, conducting reconnaissance against government networks in 155 countries between November and December, according to Palo Alto Networks’ report.
The company did not attribute the activity of the group — which it tracks as TGR-STA-1030 — to a specific country, but its description of the group aligns closely with the objectives of the Chinese government.
The group’s victims, according to Palo Alto Networks, have included Brazil’s energy ministry, a key agency in the country that is believed to possess the world’s second-largest supply of rare earth minerals; Greece’s Syzefxis Project, which is designed to improve public services through faster internet connections; a Mongolian police agency, which experienced a breach shortly before Mongolia’s justice minister “met with a counterpart from an Asian nation; and several “national-level telecommunications companies.”
The hackers also penetrated “a major supplier in Taiwan’s power equipment industry,” according to the report. And while an Indonesian airline was negotiating the purchase of airplanes from a U.S. manufacturer, the hackers breached the airline’s networks. “At the same time,” the report said, “a competing interest was actively promoting aircraft from a manufacturer based in Southeast Asia.”
Other attacks pointed even more clearly at Beijing. Weeks after the Czech Republic’s president met with the Dalai Lama, hackers began scanning the networks of the Czech military, the national police, the parliament and multiple national government bureaus. And on Oct. 31, one month before Honduras held a presidential election “in which both candidates signaled openness to restoring diplomatic relations with Taiwan,” the report said, the hackers targeted at least 200 Honduran government IP addresses — one of their most intense periods of activity on record.
The group’s tooling includes a phishing-delivered malware loader originally named DiaoYu, the Chinese word for “fishing,” which scans for a handful of antivirus products before deploying a Cobalt Strike payload. The group has tried to exploit vulnerabilities in Microsoft Exchange Server, SAP Solution Manager and more than a dozen other products and services, researchers said.
Palo Alto Networks also observed the hackers using a unique rootkit, which the security firm dubbed ShadowGuard, to stealthily run inside the Linux kernel’s Extended Berkeley Packet Filter (eBPF) virtual machine. “eBPF backdoors are notoriously difficult to detect because they operate entirely within the highly trusted kernel space,” researchers wrote. “This allows them to manipulate core system functions and audit logs before security tools or system monitoring applications can see the true data.”
That tradecraft aligns with recent research on China-linked groups’ use of sophisticated malware.
The threat actor “applies a multi-tiered infrastructure approach to obfuscate its activities,” researchers wrote, but some of the group’s activity still revealed clues about its origins. In some cases, the report said, the hackers connected to victims’ networks from IP addresses belonging to China Mobile Communications Group, one of China’s most important backbone providers.
Palo Alto Networks said its analysis suggested the hackers had been active since January 2024. The group “remains an active threat to government and critical infrastructure worldwide,” it warned.