Lookout specialists published 52 page reportwhich details the multi-year campaign aimed at the Muslim national minority, Uyghurs living mainly in western China.
As part of this campaign, people’s devices have been infected with malware since 2013, which allowed hackers to monitor the activities of Uyghur communities in the border regions of China and abroad in at least 14 countries.
Lookout is confident that a hacker group operating under the auspices of the Chinese government is behind this campaign. Some of the previous operations of this group were documented by other information security experts, and in the past the group received code names such as APT15, GREF, Ke3chang, Mirage, Vixen Panda and Playful Dragon.
Most of the past APT15 attacks were related to Windows malware, but Lookout has now reported that there are also Android tools in the arsenal of hackers. Some of them were already known to experts earlier, including such varieties of malware as HenBox, PluginPhantom, Spywaller and DarthPusher. But besides this, Lookout analysts also discovered four new malware: SilkBean, DoubleAgent, CarbonSteal and GoldenEagle.
These new varieties of Android malvari were able to be associated with other well-known APT15 tools, as they use a common infrastructure and the same digital certificates for signing samples.
Researchers note that APT15 did not upload its malicious applications to the Google Play Store, but hacked into various legitimate sites and used the watering hole technique. Such attacks are called by analogy with the tactics of predators who hunt at a watering hole, waiting for prey – animals that came to get drunk. Thus, malicious code was injected into legitimate sites that redirected visitors to pages, forums, application stores, and other sites where they were asked to download and install applications infected with APT15 malware.
Lookout experts say that in the early stages of exploring the new APT15 malware, they discovered the GoldenEagle spyware control server, which hackers mistakenly left unprotected. Researchers gained access to this server and collected information about both hacker victims and Malvari operators.
Looking through the logs thus obtained, the researchers found data from the first devices infected with GoldenEagle. It turned out that the GPS coordinates obtained from these devices are concentrated around the same area. Soon, it was possible to understand that this is the GPS coordinates of the building in Xi'an, central China, where the office of Xi'an Tianhe Defense Technology, a major military contractor, is located.
Researchers believe that these initial infections appear to be related to devices infected at an early stage in the development of malvari. In combination with their GPS coordinates, we can assume that these are test devices on which the developers of the GoldenEagle Malvari tested the operation of their malware. And the developers seemed to be the engineers of Xi'an Tianhe Defense Technology.
I must say that this is far from the first exposure of this kind. So, for many years now, the Intrusion Truth group has deanonymized the Chinese "government hackers." Between 2017 and 2019, Intrusion Truth linked four hacker groups with various Chinese intelligence contractors:
- Apt3 – affiliated with Boyusec, which collaborates with the Chinese authorities and is associated with state security in Guangdong;
- APT10 – It is associated with a number of companies that cooperate with the authorities of China and are associated with state security in the city of Tianjin;
- Apt17 – It is associated with a number of companies that cooperate with the authorities of China and are associated with state security in the city of Jinan;
- Apt40 – It is associated with a number of shell companies that cooperate with the Chinese authorities and are associated with state security in Hainan.