Follow us:
  • Home
  • News
  • China-linked group behind espionage campaign ...


  • 27 Sep, 2022
  • Admin

China-linked group behind espionage campaign against Tibetan groups


                                                Source: Cyber daily

An advanced persistent threat actor (APTA) with ties to China identified as TA413 used recently discovered security holes in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor named LOWZERO as part of an espionage campaign against Tibetan groups.

Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.

On 18th January 2022, a reporter from Beijing sent an attachment file to CTA spokesman Tenzin Lekshey via twitter, according to VOA Tibetan. When the spokesman opened the attachment, he was shocked to discover that his twitter had been hacked and that valuable information had been stolen.

Another CTA official’s personal network had previously been hacked and compromised. Tenzin Lekshey, a spokesman for the CTA, is not the only victim of this Twitter infiltration; India’s former foreign secretary (28th) Nirupama Rao is one of numerous high-ranking Indian officials whose accounts have been infiltrated through this method.

The attacks used the remote code execution flaws CVE-2022-1040 and CVE-2022-30190 (also known as "Follina"), in Sophos Firewall and Microsoft Office, respectively.

Since at least 2020, TA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension FriarFox.

In another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.

LOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.

"The group continues to incorporate new capabilities while also relying on tried-and-tested [tactics, techniques, and procedures," the cybersecurity firm said.

Read the complete news here.

Edited & Collated by Team TRC