therecord.media
Open in
urlscan Pro
2606:4700:4400::ac40:9b4b
Public Scan
URL:
https://therecord.media/chinese-hackers-compromising-south-china-sea-targets
Submission: On May 23 via api from TR — Scanned from DE
Submission: On May 23 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOM<form><span class="text-black text-sm icon-search"></span><input name="s" placeholder="Search…" type="text" value=""><button type="submit">Go</button></form>
Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * Elections * Technology * Cyber Daily® * Click Here Podcast Go Subscribe to The Record ✉️ Free Newsletter US Marines and Philippine Marines conduct an amphibious landing at the Philippines’ Naval Education Training Command. Credit: U.S. Indo-Pacific Command Jonathan Greig May 22nd, 2024 * News * Government * Nation-state * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. CHINESE HACKERS COMPROMISING MILITARY AND GOV’T ENTITIES AROUND SOUTH CHINA SEA, REPORT FINDS At least eight government and military entities in the South China Sea have been compromised in recent years by a group allegedly aligned with Chinese interests, a new report has found. For nearly five years, hackers compromised and repeatedly regained access to systems used by the governments, according to researchers from Bitdefender. The report does not say which countries had systems breached or whether they were already aware of the incidents before Bitdefender investigated them. The activity was connected to a previously unknown threat actor, which they named Unfading Sea Haze, but noted that the “targets and nature of the attacks suggest alignment with Chinese interests.” The primary goal of the campaign, they said, appears to be espionage. The South China Sea is a hotly contested area where China has encroached on territorial claims made by Vietnam, the Philippines, Malaysia, Indonesia and Taiwan. While the hackers’ choice of targets related to the disputed area points to Beijing, there are other elements suggesting a connection to China, namely the use of various Gh0st RAT variants — a tool popular with Chinese actors and used profusely in espionage campaigns by Beijing government hackers. Bitdefender said it struggled to know how the hackers initially gained entry to some systems because many of the attacks began at least five years ago, but they confirmed at least one method: spearphishing emails. These emails, some of which were sent as recently as May 2023, had malicious documents attached that installed a backdoor onto victim systems, allowing the hackers to return whenever they chose. Once inside, the group used several tools to expand their access to a network and often took over administrator accounts to give them further access. The hackers also deployed several other types of malware to evade detection and collect browser data like passwords. A ‘PROXY’ ARMY The Bitdefender research adds to a growing body of knowledge around China’s extensive, nearly decade-long hacking campaign on targets across Southeast Asia and the Pacific. Another report published on Wednesday by Google-owned cybersecurity firm Mandiant highlighted China’s use of stolen and leased proxies, like home office routers, all over the world. According to Mandiant’s researchers, these networks are a key component of the work of Volt Typhoon – a Chinese hacking campaign that has targeted critical infrastructure used by the U.S. military. Mandiant’s research highlighted that the use of compromised systems like small office and home office routers located near a potential victim “brings a new facet to this issue, as the owners of this equipment may become unwitting enablers of serious spycraft.” The researchers said it was part of a much larger effort by Chinese actors to grow their army of proxies known as “ORB networks” — which stands for operational relay box networks — for espionage operations. ORB networks, they said, are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end-of-life or unsupported by their manufacturers. Michael Raggi, Mandiant principal analyst and the author of the report, said in a statement that ORB networks are “one of the major innovations in Chinese cyber espionage that are challenging defenders.” “They’re like a maze that is continually reconfiguring with the entrance and the exit disappearing from the maze every 60 - 90 days. In order to target someone, these actors may be coming from a home router right down the street. It’s not unusual for an entirely unwitting person’s home router to be involved in an act of espionage,” he said. Mandiant Chief Analyst John Hultquist added that Chinese cyber espionage “was once noisy and easily trackable.” “This is a new type of adversary,” he said. * * * * * Tags * China * South China Sea * Nation-state * advanced persistent threat (APT) * Volt Typhoon * Philippines Previous article FCC chair proposes requirement for political ads to disclose when AI content is used No new articles Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. * Feds continue to rack up convictions in BEC cases as Georgia man gets 10-year sentenceMay 22nd, 2024 * CISA to tap cyber policy veteran Jeff Greene for top roleMay 22nd, 2024 * HHS offering $50 million for proposals to improve hospital cybersecurityMay 20th, 2024 * EPA says it will step up enforcement to address ‘critical’ vulnerabilities within water sectorMay 20th, 2024 * Cyber firm CyberArk inks $1.54 billion deal to acquire VenafiMay 20th, 2024 * CISA official Eric Goldstein will leave agency in JuneMay 20th, 2024 * Company that assists health care insurers discloses 2023 data breachMay 17th, 2024 * Sonne Finance developers offer bounty to hacker behind $20 million crypto theftMay 15th, 2024 * New backdoors on a European government's network appear to be RussianMay 15th, 2024 GITCAUGHT: THREAT ACTOR LEVERAGES GITHUB REPOSITORY FOR MALICIOUS INFRASTRUCTURE GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure EXPLORING THE DEPTHS OF SOLARMARKER'S MULTI-TIERED INFRASTRUCTURE Exploring the Depths of SolarMarker's Multi-tiered Infrastructure RUSSIA-LINKED COPYCOP USES LLMS TO WEAPONIZE INFLUENCE CONTENT AT SCALE Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale IRAN-ALIGNED EMERALD DIVIDE INFLUENCE CAMPAIGN EVOLVES TO EXPLOIT ISRAEL-HAMAS CONFLICT Iran-Aligned Emerald Divide Influence Campaign Evolves to Exploit Israel-Hamas Conflict “MOBILE NOTPETYA”: SPYWARE ZERO-CLICK EXPLOIT DEVELOPMENT INCREASES THREAT OF WORMABLE MOBILE MALWARE “Mobile NotPetya”: Spyware Zero-Click Exploit Development Increases Threat of Wormable Mobile Malware * * * * * * Privacy * About * Contact Us © Copyright 2024 | The Record from Recorded Future News