Introduction
In a startling revelation, a Chinese Advanced Persistent Threat (APT) group, dubbed ‘Earth Krahang,’ has orchestrated a widespread hacking campaign, breaching 70 organizations and targeting 116 across 45 countries. This sophisticated cyber espionage operation, active since early 2022, has primarily zeroed in on government bodies, compromising 48 and aiming at another 49, including 10 Foreign Affairs ministries. This campaign, documented by Trend Micro researchers, showcases a high level of tactical finesse and strategic planning, underlining the evolving threat landscape in global cybersecurity.
Attack Overview
Earth Krahang’s modus operandi is a meticulously crafted blend of technical prowess and psychological manipulation. The group employs open-source tools to scan for vulnerabilities in public-facing servers, such as CVE-2023-32315 in Openfire and CVE-2022-21587 in Control Web Panel. Exploiting these vulnerabilities allows them to deploy webshells, establishing unauthorized access and persistence within the networks of their victims.
Spear-phishing, a hallmark of sophisticated cyber campaigns, serves as an initial access vector. Earth Krahang crafts emails themed around geopolitical issues, enticing recipients to open malicious attachments or click on compromised links. These activities are not just isolated attacks but part of a broader strategy to leverage compromised government infrastructure to launch further assaults on other state entities.
Exploitation and Espionage
Once entrenched within a network, Earth Krahang transforms the compromised infrastructure into a conduit for hosting malicious payloads and proxying attack traffic. The group’s cunning is evident in its use of hacked government email accounts to perpetrate spear-phishing attacks on other government officials or entities, creating a cascading effect of breaches.
Trend Micro’s investigations revealed instances where Earth Krahang harvested hundreds of email addresses during reconnaissance, employing compromised mailboxes to disseminate malicious attachments across vast networks. These attachments are designed to install backdoors, ensuring the persistence of the infection and creating redundancies to counter detection and cleanup efforts.
Furthermore, the attackers have demonstrated a penchant for brute-forcing Exchange credentials using compromised Outlook accounts, alongside deploying Python scripts to siphon emails from Zimbra servers. Their tactical arsenal also includes setting up VPN servers on breached public servers via SoftEtherVPN, facilitating deeper network penetration and lateral movement within the victim’s infrastructure.
Advanced Tools and Techniques
Earth Krahang’s technological toolkit features sophisticated malware and tools like Cobalt Strike, RESHELL, and XDealer. These tools empower the group with extensive command execution and data exfiltration capabilities. XDealer, in particular, stands out for its complexity, offering functionalities across Linux and Windows platforms, including screenshot capture, keystroke logging, and clipboard data interception.
Attribution and Connections
Trend Micro’s analysis initially linked Earth Krahang to the China-nexus actor Earth Lusca, given the overlap in command and control infrastructure. However, further investigation delineated Earth Krahang as a distinct entity, potentially operating under the Chinese firm I-Soon, which specializes in government-focused cyber espionage.
The use of tools like RESHELL and XDealer, previously associated with the ‘Gallium’ and ‘Luoyu’ groups respectively, indicates a shared arsenal among these actors, with each entity deploying unique encryption keys to maintain operational security.
Conclusion
The Earth Krahang hacking campaign is a stark reminder of the sophisticated and persistent nature of state-sponsored cyber espionage. With a wide array of targets and advanced techniques at their disposal, such groups pose a significant threat to global cybersecurity. The campaign’s breadth, targeting 70 organizations across 23 countries, underscores the need for robust cybersecurity measures, international cooperation, and continuous vigilance in the digital domain.
In light of these events, organizations worldwide, especially governmental and diplomatic entities, must prioritize cybersecurity, adopt comprehensive threat detection and response strategies, and foster collaborative efforts to counteract such pervasive cyber threats. The Earth Krahang campaign not only serves as a wake-up call but also as a blueprint for understanding and combating the sophisticated tactics employed by state-affiliated cyber espionage actors.
