Chinese Hackers Suspected in Attacks on Air-Gapped Systems in Eastern Europe

Chinese Hackers Suspected in Attacks on Air-Gapped Systems in Eastern Europe


The Hack:

Cybersecurity company Kaspersky has attributed a series of attacks against industrial organizations in Eastern Europe, aimed at stealing data from air-gapped systems, to a nation-state actor with links to China. The hacking crew responsible for the attacks, known as APT31 or Bronze Vinewood, has been using more than 15 distinct implants in their operations, categorized based on their functionalities.

One of the implant types discovered by Kaspersky is a sophisticated modular malware designed to profile removable drives and infect them with a worm for exfiltrating data from isolated or air-gapped networks of industrial organizations in Eastern Europe. Another implant type is meant for stealing data from local computers and sending it to Dropbox using next-stage implants.

How They Do It:

APT31 has been using various backdoors, including a malware family called FourteenHi and a first-stage backdoor named MeatBall, for remote access and initial data gathering. The group has also been observed using Yandex Cloud for command-and-control, similar to previous findings by Positive Technologies in 2022.

The threat actor’s tactics involve hiding payloads in encrypted form within separate binary data files and concealing malicious code in legitimate applications’ memory through DLL hijacking and memory injections, making it harder to detect and analyze their actions.
In addition to targeting Windows systems, APT31 has also been observed setting its sights on Linux systems, as indicated by attacks against South Korean companies using a backdoor called Rekoobe.

Kaspersky researchers highlight the sophistication of APT31’s tactics, particularly their deliberate efforts to obfuscate their actions during data exfiltration from air-gapped networks.

While abuse of cloud services is not new, APT31 continues to leverage this tactic, making detection and mitigation challenging, especially when organizations’ business processes depend on using such services.

What This Means for the Futuer:

The attacks show that APT31’s strategies are evolving, and their ability to target air-gapped systems and use encryption to evade detection underscores the need for enhanced cybersecurity measures to protect critical infrastructure and industrial organizations in the region.

Please note that the information in this news article is based on Kaspersky’s research and observations as of the mentioned date. Further developments may occur.


– Authored by contributor Anthony J. Daw

Joshua Paulo
Joshua Paulo
Joshua Paulo serves as Atlas's Director of News, combining a Criminal Justice degree and a background in public service and International Relations. Boasting years of experience in analysis and journalism, he now spearheads a team of professionals committed to delivering unbiased reporting to provide the public and private sector with accurate and insightful information.
- Sponsor -spot_img
- Sponsor -spot_img

Week's Top Stories

More In This Category

India to Order 97 Tejas Mk1A Fighter Aircraft

The Deal The Indian government has issued a tender for...

27 Killed in Cameroon Attack

Local Nigerian media has reported that at least 27...

Somalia Stands Firm on Ethiopia Port Deal

Somalia has stated that they "will never accept" the...

Three Tanzanian Soldiers Killed by Mortar Fire in the DRC

What You Need to Know: A statement released by the...