Group-IB Threat Intelligence specialists revealed the details of cyber attacks on leading Russian IT companies in the summer of 2022 and collected technical evidence of the connection of the identified cyber attack with the pro-state group Tonto Team, which many researchers attribute to China.
You have a letter from China
On June 20, 2022, the Group-IB Managed XDR system, capable of detecting and stopping sophisticated cyber threats, issued a blocking alert for malicious emails that came to two company employees. In addition to Group-IB, the recipients included several dozen leading IT and information security companies – all targets were in Russia (according to the current protocol, they were notified of the threat), Group-IB told Forbes, without specifying who was among the recipients of this mailing .
“We notified about the threat by mail and added a message about the attack to the Group-IB Threat Intelligence system (“Cyber intelligence by subscription”), where all our customers could see this notification,” Group-IB said. “Some told us that they had already seen this mailing too, and thanked us, and we notified some through the system.” According to a Forbes source familiar with the details of the attack, this list included “telecom operators, software developers, vendors, one well-known search engine.” However, nothing indicates that the attackers succeeded in any of the cases. VK, MTS, MegaFon, VimpelCom declined to comment, Tele2 and Rostelecom did not respond to Forbes’ request. “We did not record attacks on our services,” Yandex told Forbes.
For malicious mailings, the attackers used fake mail registered in the popular free mail service GMX Mail (Global Message eXchange). However, the correspondence itself was conducted on behalf of a real employee of the information security company, who allegedly sent a “minutes of the meeting” with a discussion of the security of the cloud infrastructure. According to Group-IB, after conducting their investigation, the company’s specialists received several evidence of the involvement of the Chinese pro-state group Tonto Team (also known under other names – HeartBeat, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut) in this attack.
For example, hackers used phishing emails to deliver Microsoft Office documents that were created in the Royal Road Weaponizer, a malicious RTF exploit builder, a tool that has long been actively used by Chinese pro-state groups. In addition, experts discovered the Bisonal.DoubleT backdoor — this tool is a unique development of the Chinese pro-state group Tonto Team and has been used by hackers since at least 2019, Group-IB explains.
Tonto Team has been known since 2009 for its targeting of government, military, financial, educational institutions, as well as energy, medical and technology companies. The group initially worked exclusively in South Korea, Japan, Taiwan and the United States, but by 2020 countries and Eastern Europe were among its targets. Tonto Team has repeatedly shown interest in the information technology sector: for example, in March 2021, the group hacked into the mail servers of a purchasing and consulting company specializing in software development and cybersecurity based in Eastern Europe.
Break into the chain
Apparently, these IT and information security companies were used as a link in a supply chain class attack, that is, an attack through a contractor, says Andrey Dugin, head of MTS SOC. The peculiarity of the supply chain, he explains, is that contractors are much less protected than the target companies, and hackers try to use them as a back door to access the infrastructure of the final victim. In this case, hackers break into the company to take advantage of its access to the infrastructure of clients – government agencies and corporations. “In addition, IT and information security companies usually have important information even about those organizations with which they do not currently work. These can be the results of a pentest (a penetration test into the system), information about vulnerabilities found at the customer, or data about the company’s infrastructure obtained during the pilot project, Dugin argues. “Finally, if we are talking about a software developer, hackers can try to hack the update system so that with the next release or patch the client receives malware, and the grouping is a point of presence in the victim’s infrastructure.”
An illustrative example of supply chain attacks is the Dark Halo cyberattack on the American software developer SolarWinds in 2020. A compromised vendor infrastructure opens up ample opportunities for attackers to move further along the network and gain access to a huge pool of its customers and partners. Thus, the compromise of SolarWind endangered its customers: Microsoft, Cisco, FireEye, Nvidia, Intel, Mimecast and 18,000 other companies.
Hacking contractors in order to gain access to third-party infrastructures is one of the stable trends in the world of hacker attacks that has been developing for more than three years, says Igor Zalevsky, head of the Solar JSOC CERT Cyber Incident Investigation Center at RTK-Solar. “It is not surprising that the groups to which experts attribute the Chinese trace also resort to similar tactics. Over the past two years, JSOC CERT specialists have investigated about five major incidents in which various Chinese hacker groups hacked IT contractors of government and commercial organizations,” says Zalevsky, adding that, in addition to Tonto Team, groups such as APT 15 were behind the attacks. , APT 31 and APT 41. In general, everyone uses phishing emails in their attacks, including using the ready-made Roayl Road Weaponizer toolkit (generates a malicious office document), the expert says. Complex targeted attacks attributed to China, including pro-state groups, were recorded long before the beginning of 2022, Andrey Dugin notes. “Therefore, it is impossible to say unequivocally that this is somehow connected with current events in geopolitics,” he notes.
IT companies remain one of the most attractive targets for cyberattacks, experts state. The number of attacks on IT companies in 2022 slightly decreased compared to 2021, but they still account for 6% of attacks on organizations, Fedor Chunizhekov, an analyst at the Positive Technologies IS analytics research group, is quoted in the Cybersecurity 2022-2023 company report. Trends and Forecasts”. A high-profile incident last year was the attack on Okta, which develops solutions for managing accounts and access, including multi-factor authentication. The attackers were interested in the company’s customers (the attack affected about 2.5% of customers), Okta itself was hacked as a result of compromising its contractor, Chunizhekov says.