Threat operation UAT4356, also known as Storm-1849, which was behind the ArcaneDoor cyberespionage campaign that targeted Cisco firewalls and other vendors' perimeter network devices, has been associated with China following an investigation of the group's attack infrastructure, according to The Hacker News.
Aside from most of the operation's online hosts with the SSL certificate having been linked with ChinaNet and Tencent autonomous systems, UAT4356 has also used an IP address referencing an anti-censorship tool based on an open-source project with a Chinese language website, a report from Censys showed. The findings indicate that "some of these hosts were running services associated with anti-censorship software likely intended to circumvent The Great Firewall," said researchers.
Such a development follows a Sekoia report detailing the PlugX trojan, which was found to have targeted countries crucial to the success of China's Belt and Road Initiative.
"[PlugX] was developed to collect intelligence in various countries about the strategic and security concerns associated with the Belt and Road Initiative, mostly on its maritime and economic aspects," said Sekoia researchers.