Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack

A previously unknown hacking campaign targeted file protection, encryption and decryption software as part of a supply chain attack on unnamed targets in Hong Kong and other regions of Asia, according to an analysis published Tuesday.

Researchers with the Symantec Threat Hunter Team, part of Broadcom, dubbed the unknown actors behind the campaign “Carderbee” and said the group compromised a Cobra DocGuard software update file with the goal of deploying the Korplug backdoor (also known as PlugX), a widely used piece of malware.

The malware was signed with a legitimate Microsoft certificate, the researchers noted, which can make it much harder for security software to detect.

The campaign, which started in April 2023, was detected on roughly 100 computers across multiple organizations. Given that the Cobra DocGuard software — produced by the China-based EsafeNet, which itself is owned by the Chinese information security firm NSFOCUS — is only installed on roughly 2,000 computers, the “attacker may be selectively pushing payloads to specific victims,” the researchers said.

The campaign is just the latest example of a successful supply chain attack. In March, hackers with suspected links to North Korea successfully compromised the X_Trader financial trading software which led to a second successful attack on the 3CX video and online communications platform. In May, the ransomware syndicate CL0P compromised the MOVEit file sharing service, leading to data exfiltration from more than 600 organizations worldwide and data associated with tens of millions of people, according to a Reuters analysis.

Originally limited to Chinese-related hacking campaigns, PlugX is now widespread enough that conclusive attribution is not possible, the researchers said. Nevertheless, Cobra DocGuard update files were compromised to target a Hong Kong-based gambling company in September 2022, according to ESET, by a Chinese-linked hacking effort tracked as LuckyMouse (also known as APT27, Emissary Panda and Bronze Union). That campaign also delivered a variant of the Korplug malware.

The similar tactics, techniques and procedures hint at a Chinese connection, even if full attribution isn’t yet possible. “The Korplug back door is usually used by China-linked APT groups,” said Brigid O. Gorman, a senior intelligence analyst with Symantec. “In addition to this, the targeting is in line with what we’ve seen from China-linked groups in the past. As stated in the blog there are also some similarities between this activity and previous activity carried out by the Budworm (aka APT27) group.”

Gorman declined to elaborate on the victims in this particular campaign, but noted that although there were some victims throughout south and southeast Asia, “it appears organizations in Hong Kong were the main targets in this campaign.”

The attackers in this case “are patient and skilled actors,” the report’s authors conclude, leveraging “both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar.” And although there are open questions about the group — including a more complete picture of the sectors targeted in the campaign and links to established Chinese hacking efforts — the case is a reminder that “software supply chain attacks remain a major issue for organizations in all sectors.”