EastWind Cyber Espionage Campaign
In a new wave of cyber espionage, a China-linked threat actor, monitored by Kaspersky, has been identified in a campaign called EastWind. This operation targets government organizations in Russia by using popular cloud services like Dropbox, GitHub, Quora, and Yandex as command-and-control (C2) servers.
Diverse APT Tool Collaboration
Kaspersky's analysis highlights the collaboration between different Advanced Persistent Threat (APT) groups, showcasing a trend where threat actors share malware tools and tactics. By employing toolkits from different China-sponsored groups, such as APT31 and APT27, these actors illustrate how cyber espionage campaigns often involve multiple threat actors working jointly.
Command-and-Control Servers Hosted on Dropbox
Kaspersky discovered the malware in the EastWind campaign communicating with C2 servers hosted on Dropbox. This setup allowed the attackers to manage malware on infected systems, which included downloading additional sophisticated tools like CloudSorcerer — a tool previously used to target Russian entities this year.
APT31 and APT27: Key Players
APT31, linked to China's Ministry of State Security, is known for gathering intelligence that benefits China's economic, military, and political interests. Their targets span government, finance, aerospace, defense, telecommunications, and high-tech sectors.
APT27, also known as Emissary Panda, focuses on intellectual property theft in key strategic sectors. Like APT31, APT27 relies heavily on phishing emails as the entry point for their attacks.
Kaspersky's findings did not definitively link either group to the EastWind campaign, but their malware's presence indicates a possibility of involvement.
Tools and Techniques in Use
Kaspersky identified the use of GrewApacha, a Trojan associated with APT31, and CloudSorcerer to manage the attack's payloads. The malware communicates over TCP, UDP, and named pipes, allowing extensive control over infected systems. Commands range from file manipulation and executing shell commands to keystroke logging and screen monitoring.
Implications of APT Collaboration
The EastWind campaign exemplifies how APT groups can enhance their capabilities through cooperation. By sharing knowledge and tools, these groups achieve a broader attack surface and maintain persistent threats against high-value targets. This collaborative approach poses significant challenges for cybersecurity defenses worldwide, emphasizing the importance of robust security measures and threat intelligence sharing among potential targets.
Sources: Kaspersky blog posts, Mandiant reports, US Department of Justice indictments.
