The Chinese government hacking group seen targeting European governments and non-governmental organizations in early March may have also been going after Russian government targets as well, researchers with Secureworks Counter Threat Unit reported Wednesday.
The findings add new details to multiple threat intelligence reports in early March highlighting the concerted efforts of Chinese-linked hacking groups to target European diplomatic entities and NGOs, particularly with respect to refugee and migrant services.
At the time researchers with Google’s Threat Analysis Group and cybersecurity firm Proofpoint noted the activity and associated it with Mustang Panda, a Chinese-government linked hacking group. The two teams’ assessments differed slightly on whether it reflected longstanding targeting or a shift based on new intelligence needs related to Russia’s invasion of Ukraine.
The Secureworks researchers, who track the group called Mustang Panda by others as “Bronze President,” say that while the group was involved in targeting the European entities it was simultaneously targeting Russian government computer systems with the well-known PlugX malware variant hidden inside a malicious file made to look like a PDF.
The Secureworks researchers note that the malicious file name refers to a border guard unit in the Russian city of Blagoveshchensk, a town in the east of Russia on the border with China. “This connection suggests that the filename was chosen to target officials or military personnel familiar with the region,” the researchers wrote.
The hacking group had typically targeted entities in Southeast Asia, going after political and economic intelligence valuable to the Chinese government, so targeting the border unit suggests the hacking crew has “received updated tasking that reflects the changing intelligence collection requirements,” the researchers wrote.
“The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations,” the researchers wrote. “This desire for situational awareness often extends to collecting intelligence from allies and friends, which could explain why [Secureworks] researchers detected what appears to be an attempt by China to deploy advanced malware to computer systems of Russian officials.”
The Secureworks researchers found the malware embedded in a malicious file opened a decoy document in English that discussed refugee and migrant pressures on countries bordering Belarus, and European Union sanctions against Belarus at the beginning of March 2022.
The malicious file simultaneously downloaded three additional files from a staging server that also hosted a domain flagged by Proofpoint in its early March analysis of Mustang Panda activity. Additionally, the methods by which the PlugX malware is deployed and operates is consistent with the group’s established approach to executing malware payloads through a process known as DLL search order hijacking.
PlugX was first seen in 2008 and has since been adapted in various ways, but typically allows an attacker to steal sensitive information and execute commands on the target machine.