France has issued a new cyber threat advisory about targeted espionage operations directed at third-party service providers and engineering firms.
The findings — published by the country’s cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) — is based on its investgation into two different sets of attacks — one involving the use of PlugX malware, and an other that relies on legitimate tools (CertMig, ProcDump, Netscan) and credential theft.
ANSSI said the campaign dated as far back as 2017. “The main purpose of these activities seems to be credentials gathering, thanks to spear phishing emails, and phishing websites,” it added.
The threat actor — possibly linked to North Korean hacking group Kimsuky — has targeted a wide range of entities, including diplomatic bodies belonging to member countries of the United Nations Security Council such as China, France, Belgium, Peru, and South Africa.
PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, while completely avoiding security controls and detection.
The malware has become a tool of choice for Chinese state-sponsored actors in recent years, with Palo Alto Networks’ threat intelligence team Unit 42 linking the cyberattacks in Southeast Asia to a group it calls PKPLUG last week.
ANSSI said the attackers gain initial access to the target networks by exploiting security vulnerabilities at endpoints, or by using phishing emails or leaked credentials. Once in, they were found to obtain elevated privileges to internal systems to install malware and laterally spread across the network to meet their operational objectives.
In addition to using VPNs to anonymize their incoming connections, they also saved their tools in folders named after popular antivirus software, such as ESET and McAfee, to evade detection.
As a consequence, the cybersecurity agency has urged service providers and clients to set up two-factor authentication, monitor their network for malicious connections, and grant external entities with the least amount of access to thwart privilege escalation.
The ANSSI alert comes as supply chain attacks — compromising a third party with a connection to the true target — are becoming an increasingly common way to target businesses and install malware. Last month, European aerospace giant Airbus was hit by a series of cyber assaults aimed at its suppliers possibly by China-linked actors in search of commercial secrets.
Leveraging a service provider as an attack vector also vastly increases the scale of a security incident, as a successful break-in opens up access to multiple clients, making them all vulnerable at once.
Whether be it by beefing up account security, or isolating critical network infrastructure, or by ensuring timely data backups, having well-tailored controls in place across the organization can ensure preparedness at both tactical and strategic levels for a destructive malware attack.