![SecurityWeek](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="400" height="75"><rect fill-opacity="0"/></svg>)
A China-linked cyberspy group appears to be behind a campaign targeting industrial organizations in Eastern Europe, cybersecurity firm Kaspersky reported last week.
The attacks have been linked to APT31, a group believed to be sponsored by the Chinese government that is also known as Zirconium, Judgement Panda, Bronze Vinewood and Red Keres. The threat actor has focused on operations whose goal is to steal valuable intellectual property from victims.
While the targets of the campaign analyzed by Kaspersky were industrial organizations, the company told SecurityWeek there is no indication that the hackers targeted industrial control systems (ICS).
“We do not have any evidence that the attackers could have anything in addition to data theft as their goal in this campaign,” Kaspersky said.
The attacks were observed in 2022 and the cybersecurity firm recently concluded its investigation into the campaign.
The hackers attempted to establish permanent channels for data exfiltration, including for information stored on air-gapped systems, which they targeted through malware-infected removable drives.
The attackers used improved variants of a previously known malware named FourteenHi, which enables the attackers to upload or download files, run commands, and initialize a reverse shell.
The new variants were designed to specifically target the infrastructure of industrial organizations.
In addition, the cyberspies leveraged a new malware implant dubbed MeatBall, which provides extensive remote access capabilities.
The attackers exploited DLL hijacking vulnerabilities affecting legitimate applications to load some of their malware.
“To exfiltrate data and deliver next-stage malware, the threat actor (or actors) abuse(s) a cloud-based data storage, e.g., Dropbox or Yandex Disk, as well as a service used for temporary file sharing. They also use C2 deployed on regular virtual private servers (VPS),” Kaspersky explained.
The cybersecurity firm’s report includes technical details on these attacks, including indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs).
Related: Chinese Cyberspy Group APT31 Starts Targeting Russia
Related: EU Organizations Warned of Chinese APT Attacks
Related: China-Linked APT15 Targets Foreign Ministries With ‘Graphican’ Backdoor
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="170" height="200"><rect fill-opacity="0"/></svg>){kind=avatar}
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- MOVEit Hack Could Earn Cybercriminals $100M as Number of Confirmed Victims Grows
- Perimeter81 Vulnerability Disclosed After Botched Disclosure Process
- Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies
- Google Creates Red Team to Test Attacks Against AI Systems
- VirusTotal Provides Clarifications on Data Leak Affecting Premium Accounts
- Citrix Zero-Day Exploited Against Critical Infrastructure Organization
- New AMI BMC Flaws Allowing Takeover and Physical Damage Could Impact Millions of Devices
- Cosmetics Giant Estée Lauder Targeted by Two Ransomware Groups
Latest News
- Apple Patches Another Kernel Flaw Exploited in ‘Operation Triangulation’ Attacks
- Nubeva’s Ransomware Key Interception and Decryption Technology Validated in Third-Party Lab
- OneTrust Raises $150 Million at $4.5 Billion Valuation
- Cybersecurity Public-Private Partnership: Where Do We Go Next?
- MOVEit Hack Could Earn Cybercriminals $100M as Number of Confirmed Victims Grows
- Los Angeles SIM Swapper Pleads Guilty to Cybercrime Charges
- Over 20,000 Citrix Appliances Vulnerable to New Exploit
- Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="200" height="38"><rect fill-opacity="0"/></svg>)
