A new long-running espionage campaign targeting new geographies has been ascribed to a Chinese state-backed advanced persistent threat (APT) organisation renowned for singling out Japanese businesses, implying a “widening” of the threat actor’s targets.
Cicada, also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team, has been linked to the broad incursions, which are thought to have started at the earliest in mid-2021 and persisted as recently as February 2022.
In a report shared with The Hacker News, researchers from the Symantec Threat Hunter Team, part of Broadcom Software, said that “victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organisations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America.”
According to Brigid O. Gorman, senior information developer at the Symantec Threat Hunter Team, “there is a heavy concentration on victims in the government and NGO sectors, with some of these groups working in the fields of religion and education.”
The majority of the victims are based in the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy, with one victim in Japan, with the enemy spending up to nine months on their networks.
“There are also some victims in the telecommunications, legal, and pharmaceutical sectors,” Gorman noted, “but it appears that governmental and non-profit organisations were the major target of this effort.”
Kaspersky researchers unveiled an intelligence-gathering operation involving the deployment of information-gathering implants from a variety of industry sectors in Japan in March 2021.
Stone Panda was then implicated in a coordinated supply chain attack directed at Taiwan’s banking industry, with the intention of collecting sensitive information from compromised systems, early this February.
The perpetrators in the current wave of assaults detected by Symantec obtain initial access through a known, unpatched vulnerability in Microsoft Exchange Servers, which they then use to deliver their preferred backdoor, SodaMaster.
“However, because we didn’t see the attackers using a specific vulnerability, we can’t determine if they used ProxyShell or ProxyLogon [flaws],” Gorman explained.
SodaMaster is a Windows-based remote access trojan with characteristics that make it easier to retrieve additional payloads and exfiltrate data back to its command-and-control (C2) server.
The Mimikatz credential dumping software, NBTScan for internal reconnaissance, WMIExec for remote command execution, and VLC Media Player to execute a custom loader on the infected host were also used during the infiltrations.
“This campaign with victims from such a diverse range of industries looks to indicate that the gang is now interested in a broader range of targets,” Gorman said.
“The types of organisations targeted — charities and government agencies, as well as religious and educational institutions — are most likely to be of interest to the group for espionage objectives. The type of activity we find on victim PCs, as well as previous Cicada activity, all point to espionage as the goal for this operation.”