Chinese-aligned hacking group targeted more than a dozen government agencies, researchers find

The activity highlights a rapidly evolving, aggressive cyberespionage operation that played out across Africa, Europe, the Middle East and Asia, a Talos report says.
Hacker with covered face in his operating room with multiple displays. (Sutthichai Supapornpasupad/Getty Images)

An aggressive and prolific Chinese-speaking cyberespionage group has targeted the ministries of foreign affairs and embassies of at least nine countries across Africa, the Middle East, Europe and Asia, researchers with Cisco Talos said Friday, highlighting how hackers perhaps aligned with Beijing continue to evolve their operations to gather information about a variety of geopolitical hotspots. 

Using scanned government documents that, at times, were not available on the internet as lures, the hacking group dubbed “SneakyChef” appeared to be targeting government agencies in Angola, Turkmenistan, Kazakhstan, India, Saudi Arabia, South Korea, Uzbekistan, the U.S. and Latvia, according to findings shared exclusively with CyberScoop from Talos researchers Chetan Raghuprasad and Ashley Shen and members of the Yahoo Paranoids Advanced Cyber Threats Team.

SneakyChef uses the SugarGh0st remote access tool, first made public by Talos in November. The tool is a customized version of Gh0st RAT, a well-documented remote access and data exfiltration tool used for years by various groups but first seen in Chinese-aligned operations in March 2008.

Friday’s report from Talos also includes a separate analysis of a new remote access trojan, dubbed SpiceRAT, delivered to SneakyChef targets via the same email address. 


Taken together, the findings highlight an “aggressive” and prolific hacking effort pushing the development of cyberespionage malware against targets in key geopolitical hotspots, said Vitor Ventura, lead security researcher at Talos. 

“In a relatively short amount of time there was a huge amount of activity by this actor, to the point that they developed another malware,” Ventura told CyberScoop. “They are evolving really fast, and they are extremely aggressive.”

The group is so far being tracked as a distinct campaign or unit, Ventura said, and there is not yet sufficient evidence to tie it to any particular government agency or known contractor. A May report from Palo Alto Networks Unit 42 classified some related activity as the work of a Chinese advanced persistent threat group (APT), denoting a typically state-sponsored group operating at a high level.

In May, researchers with Proofpoint identified SugarGh0st being used in campaigns targeting organizations in the U.S. involved in artificial intelligence efforts, including academia, private industry and government service.

In one example highlighted by Talos, the hackers used various non-public Indian documents to target the Indian Ministry of Foreign Affairs. In one case, a decoy Microsoft Word document contained lures related to India-U.S. relations, including a list of events related to India’s prime minister and President Joe Biden, referencing interactions between the two up through September 2023.

Latest Podcasts