SecurityWeek reports that telecommunications firms and IT service providers in the Middle East and Asia are being subjected to attacks by Chinese advanced persistent threat group WIP19.
Numerous malware families have been used by WIP19, including SQLMaggie, ScreenCap, and a credential dumper, while malicious components have been signed by the APT using stolen certificates, a SentinelOne report showed.
Examination of the group's backdoors has prompted researchers to associate some of the group's components with Chinese-speaking malware author WinEggDrop. WIP19 has also likely stolen the valid certificate it has been using to sign its malware and credential harvesting tools from DEEPSoft Co., a messaging provider in South Korea.
"The intrusions we have observed involved precision targeting and were low in volume. Specific user machines were hardcoded as identifiers in the malware deployed, and the malware was not widely proliferated. Further, the targeting of telecommunications and IT service providers in the Middle East and Asia suggest the motive behind this activity is espionage-related," said SentinelOne.
Several U.S. defense and government organizations have been targeted by state-backed Chinese hacking group Bronze Silhouette, also known as Volt Typhoon, for military intelligence over a period of at least two years, according to The Record, a news site by cybersecurity firm Recorded Future.
Russian, North Korean, and Iranian advanced persistent threat operations have been launching more attacks aimed at compromising small- and medium-sized businesses, as well as their regional managed service providers, reports SecurityWeek.