A two-year cyberespionage campaign by a previously unknown advanced persistent threat (APT) group linked to China compromised 70 organizations — mainly government entities — in 23 countries.
The group targeted public-facing servers, exploited known vulnerabilities, and sent spear-phishing emails to deliver previously unseen backdoor malware, according to researchers at Trend Micro who discovered the campaign.
In a March 18 analysis of the group, which they dubbed "Earth Krahang," researchers Joseph Chen and Daniel Lunghi said the campaign had a strong focus in Southeast Asia, but also targeted entities in America, Europe and Africa.
“Earth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails,” the researchers said.
“Since the malicious link uses a legitimate government domain of the compromised server, it will appear less suspicious to targets and may even bypass some domain blacklists.”
Diplomatic entities a top target of Earth Krahang
Trend Micro obtained logs of Earth Krahang’s activities, which showed the gang targeted at least 116 organizations across 35 countries, although only 70 of those victims in 23 countries were confirmed to be compromised.
Forty-eight of the compromised entities were government organizations, while a further 49 government entities were targeted. Earth Krahang was particularly focused on foreign affairs ministries and departments, compromising 10 such organizations and targeting five others.
The threat group used the access it gained to government infrastructure to attack other government entities, the researchers said. It used the servers it compromised to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts.
Earth Krahang also used other tactics, such as building VPN servers on compromised public-facing servers to establish access into the private network of victims and performing brute-force attacks to obtain email credentials.
“These credentials are then used to exfiltrate victim emails, with the group’s ultimate goal being cyberespionage,” the researchers said.
Earth Krahang's ties with other Chinese threat groups
Earth Krahang got its name because the researchers discovered a crossover of IP addresses, domain names and command-and-control infrastructure linked to Earth Lusca, a Chinese cyberespionage operation they discovered last year.
Trend Micro’s earlier research on Earth Lusca suggested it could be the penetration team behind I-Soon, the Shanghai-based technology company at the center of a major intelligence leak last month. Documents published on GitHub linked I-Soon to cyberespionage campaigns commissioned by various Chinese government agencies.
“Using this leaked information, we found that the company organized their penetration team into two different subgroups,” Chen and Lunghi said. “This could be the possible reason why we saw two independent clusters of activities active in the wild but with limited association. Earth Krahang could be another penetration team under the same company.”
