A Chinese-speaking APT group, Calypso, has actively been targeting state institutions in six countries, hacking systems and injecting a program to gain access to internal networks, according to a report from researchers at Positive Technologies Expert Security Center.
The researchers found the hackers either exploited a remote code execution vulnerability MS17-010 or used stolen credentials.
“These attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,” said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies. “The group used publicly available utilities and exploit tools, such as SysInternals, Mimikatz and EternalRomance. Using these widely available tools, the attackers infected computers on the organization's LAN and stole confidential data.”
Research indicates the campaign is the work of an Asian group. In one attack, the malfeasants, who are believed to have originated in Asia, used PlugX malware, a signature of APT groups from China and some of the attackers inadvertently revealed their IP addresses from Chinese providers.
Positive Technologies experts said the group used the Byeby trojan used in a 2017 SongXY malware campaign.
Institutions in India were hit the hardest, followed by Brazil and Kazakhstan, Russia and Thailand and Turkey.