Active Chinese hacking campaign targeted diplomats from Slovakia, South America

The timing of the attacks on Slovakia coincided with possible business investment from a Chinese steel giant.

Suspected Chinese hackers who have haunted military and government targets for a generation have updated their malicious software tools to target diplomatic missions.

The Ke3chang cyber-espionage group has been active since at least 2010, researchers say, gathering intelligence about international government contractors, military organizations and breached computers used by foreign ministries before the 2012 G20 Summit, according to FireEye.

Now, there’s new evidence the group updated its tactics in a series of attacks aimed at diplomats in Belgium, Brazil, Chile, Guatemala, and Slovakia. Security specialists at the Slovak antivirus company ESET published research Thursday demonstrating how the Ke3chang group used a technical backdoor, Okrum, and an updated version of the Ketrican malware. The hacking tools allow Ke3chang hackers to intercept information about victims, including their usernames, IP addresses, operating systems and build numbers; their language and country names; and other communications.

ESET’s says its findings date back to 2015, when employees “identified new suspicious activities in European countries.” The company did not tie the hacking activity with any international events, though it did say Ke3chang “seemed to have a particular interest in Slovakia” for a number of years, especially into 2017.


The timeline roughly coincides with changing diplomatic relations between Slovakia and China, and possible investments from Beijing into Central Europe. China’s Hesteel Group, then the world’s second-largest steel producer, offered $1.5 billion for a plant in Slovakia, though the deal never went through.

The group is still active, according to ESET, with new malware samples uncovered as recently as March of this year. ESET did not attribute Ke3chang to any particular nation-state, though previous research from other firms have tied Ke3chang tools to hackers operating out of China. The group is also known as APT15, Playful Dragon, Vixen Panda, and Thailand’s Computer Emergency Response Team has deemed it a state-sponsored operation.

Palo Alto Networks in 2016 caught Ke3chang using malware against embassy officials from India, which shares a border with China.

“Just like the other known Ke3chang malware, Okrum is not technically complex, but we can certainly see that the malicious actors behind it were trying to remain undetected by using tactics such as embedding the malicious payload within a legitimate PNG image, employing several anti-emulation and anti-sandbox tricks, as well as making frequent changes in implementation,” ESET researchers explain.

“Since the Okrum backdoor is not very technically complex, most of the malicious activity must be performed by manually typing shell commands, or by executing other available tools and software,” the ESET team says.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts