Cybersecurity company Kaspersky has attributed a series of attacks against industrial organizations in Eastern Europe, aimed at stealing data from air-gapped systems, to a nation-state actor with links to China. The hacking crew responsible for the attacks, known as APT31 or Bronze Vinewood, has been using more than 15 distinct implants in their operations, categorized based on their functionalities.
One of the implant types discovered by Kaspersky is a sophisticated modular malware designed to profile removable drives and infect them with a worm for exfiltrating data from isolated or air-gapped networks of industrial organizations in Eastern Europe. Another implant type is meant for stealing data from local computers and sending it to Dropbox using next-stage implants.
How They Do It:
APT31 has been using various backdoors, including a malware family called FourteenHi and a first-stage backdoor named MeatBall, for remote access and initial data gathering. The group has also been observed using Yandex Cloud for command-and-control, similar to previous findings by Positive Technologies in 2022.
The threat actor’s tactics involve hiding payloads in encrypted form within separate binary data files and concealing malicious code in legitimate applications’ memory through DLL hijacking and memory injections, making it harder to detect and analyze their actions.
In addition to targeting Windows systems, APT31 has also been observed setting its sights on Linux systems, as indicated by attacks against South Korean companies using a backdoor called Rekoobe.
Kaspersky researchers highlight the sophistication of APT31’s tactics, particularly their deliberate efforts to obfuscate their actions during data exfiltration from air-gapped networks.
While abuse of cloud services is not new, APT31 continues to leverage this tactic, making detection and mitigation challenging, especially when organizations’ business processes depend on using such services.
What This Means for the Futuer:
The attacks show that APT31’s strategies are evolving, and their ability to target air-gapped systems and use encryption to evade detection underscores the need for enhanced cybersecurity measures to protect critical infrastructure and industrial organizations in the region.
Please note that the information in this news article is based on Kaspersky’s research and observations as of the mentioned date. Further developments may occur.
– Authored by contributor Anthony J. Daw