Multiple high-profile organizations in Southeast Asia were the targets of an espionage campaign linked to China-based advanced persistent threat (APT) groups, according to a Symantec report released on Dec. 11.
According to the report by the Symantec Threat Hunter Team, the attacks in Southeast Asia have been underway since at least October 2023 and were aimed at gathering intelligence information from multiple high-profile organizations, including government ministries in two different countries, an air traffic control organization, a telecom company, and a media outlet.
An APT is a stealth actor, typically state-sponsored, who uses sophisticated levels of expertise and resources to break through the information technology infrastructure of organizations, remaining undetected for an extended period. The attacks allow it to exfiltrate information and undermine key aspects of the organization’s program or mission.
The report did not name any specific threat group but said multiple tools used in the espionage campaign point to China-based APT actors, particularly one group called Earth Baku.
“Of note is the use of a proxy tool called Rakshasa and a legitimate application file used for DLL sideloading,” the report said. Both tactics were used previously by Earth Baku, also known as APT41 and Brass Typhoon.
A DLL—or dynamic-link library—is a file that contains functions, data, and resources. DLL sideloading, a type of DLL hijacking, is a technique used by threat actors to load malicious DLLs and breach security.
According to a Trend Micro blog post linked in the Symantec report, Earth Baku—which initially targeted the Indo-Pacific—has expanded its activities to Europe, the Middle East, and Africa. Italy, Germany, the United Arab Emirates, and Qatar have all been targeted, with suspected activity in Georgia and Romania.
Rakshasa, which uses simplified Chinese, was used previously by Earth Baku, according to Symantec.
The attackers had covert control over the compromised networks for extended periods of time, according to the report, and used the access to gather passwords and chart networks of interest to them.
Harvesting Data and Emails
The espionage activity by China-linked groups is the subject of year-end reports about attacks on critical digital infrastructure in various parts of the world.“Based on the malware, infrastructure, techniques used, victimology, and the timing of the activities, we assess that it is highly likely these attacks were conducted by a China-nexus threat actor with cyberespionage motivations,” the report said.
According to a Symantec report released last week, APT groups also breached “a large U.S. organization with a significant presence in China” during a four-month-long intrusion that was detected on April 11 and continued until August. The report says the breach was the work of a China-based actor, based on available evidence.
“The attackers moved laterally across the organization’s network, compromising multiple computers,” said the report, released on Dec. 5.
It didn’t disclose the name of the victim organization.
“Some of the machines targeted were Exchange Servers, suggesting the attackers were gathering intelligence by harvesting emails. Exfiltration tools were also deployed, suggesting that targeted data was taken from the organizations,” the report said.
