Symantec: China-Linked Actors Investigate SCADA Systems
An unidentified hacking group with suspected China ties is targeting critical infrastructure in South East Asia as part of a cyberespionage campaign to exfiltrate information about the victim’s SCADA systems. says a report by security firm Symantec.
Symantec reports that the campaign was active from November 2020 to March this year and targeted a water company, a power company, a communications company and a defense organization.
The attackers used different techniques such as deploying malicious apps, search order hijacking and exploiting vulnerabilities in a Google Chrome Frame plug-in designed for Internet Explorer.
Once successful compromising the systems, the attackers proceeded to credential theft and then collected information about the victim’s SCADA systems. SCADA comprises software and hardware that allows industrial organizations to control industrial processes locally or remotely, as well as monitor and gather real-time data.
Symantec reports that “There are some indications that the attacker behind this campaign is based in China,” based on “certain artifacts found on the victim machines,” but it did not provide further details and went on to say that, “with the current information available, Symantec cannot attribute the activity to a known actor.” The report adds, “We did not observe the attackers exfiltrating data from the infected machines. However, the machine the attackers were on did have tools on it that indicate it may have been involved in the design of SCADA systems, indicating this is something the attacker may have been interested in.”
To target the unidentified water company, the attackers used a legitimate free multimedia player called PotPlayer Mini to load a malicious DLL. The malware then loaded several ProcDump hacking tools for credential theft.
In the case of the power company, the attackers deployed the same PotPlayer malware and ProcDump. However, in addition to this strain, the attackers also leveraged another unidentified payload, the report notes.
When targeting a victim in the communication sector, the attackers leveraged Google Chrome Frame to deploy malware and collect the victim’s data.
“In the defense organization we once again saw PotPlayer Mini exploited for DLL search order hijacking, as well as seeing some file overlaps between this organization and the communications and water companies,” the report says.
Chinese Espionage Activities
Chinese espionage activities have targeted several victims in recent months. These include attacks against corporations, political figures, government officials, law enforcement agencies, political activists and dissidents of interest to the Chinese government.
For instance, on Tuesday, security firm Cybereason uncovered a Chinese advanced persistent threat group that compromised telecommunication network providers across Southeast Asia in an effort to harvest customers’ sensitive communications (see: Chinese APT Groups Targeted Asian Telecoms).
In a U.S. Senate hearing this week, senators and those testifying said that China is stealing IP through espionage campaigns to support its efforts to dominate technology development, such as for artificial intelligence and semiconductors. It was suggested that China could leverage this technology worldwide for espionage (see: Chinese Cyberthreats: The Impact on National Security).
Last month, the U.S. indicted four Chinese nationals connected to the nation’s Ministry of State Security for an alleged hacking campaign conducted from 2011 to 2018 that targeted universities and government entities to obtain trade secrets, medical research and other intellectual property (see: US Indicts 4 Chinese Nationals for Lengthy Hacking Campaign).