Advanced persistent threat operation Sandman and Chinese threat cluster Storm-0866, also known as Red Dev 40, had significantly similar attack techniques as evidenced by the coexistence of their LuaDream and KEYPLUG malware, respectively, in the same networks, The Hacker News reports.
Aside from the same infrastructure control and management practices between both Sandman and Storm-0866, the operations' respective backdoors also had similar designs and functionalities, according to a report from PwC, SentinelOne, and the Microsoft Threat Intelligence team.
"The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order. The high-level execution flows of LuaDream and KEYPLUG are very similar," said researchers.
While there has been no evidence suggesting that LuaDream and KEYPLUG are developed by a single vendor, it is possible that malware could be supplied by dedicated channels across the Chinese threat landscape, said SentinelLabs researcher Aleksandar Milenkoski.
Without the need for specialized audio equipment to conduct PIXHELL, threat actors could leverage social engineering and software supply chain attacks to distribute covert data exfiltration channel-triggering malware that would create an acoustic channel for the data.
Russian state-sponsored threat group Coldriver has been suspected by the Free Russia Foundation of being behind the intrusion, which involved the targeting of several entities to exfiltrate internal documents, grant reports, and other correspondences in retaliation against pro-democracy Russians
Simultaneous target infiltration and reconnaissance, network compromise, and data exfiltration activities have been performed by Clusters Alpha, Bravo, and Charlie, respectively.