Microsoft Threat Intelligence has warned that a Chinese government espionage hacking group is targeting critical US infrastructure, such as telecommunications networks, financial and legal services industries, and government and non-government agencies.
VIEW GALLERY – 2 IMAGES
Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft, spoke with The Register, saying the new group Microsoft is tracking under the moniker “Storm-0227” began targeting critical US infrastructure as soon as yesterday. DeGrippo says the group has been active since January but didn’t say its total number of victims. Notably, DeGrippo said the group’s members have some overlap with Silk Typhoon, a notorious Chinese government-affiliated hacking group known for healthcare, law firms, higher education, defense contractors, and non-governmental organizations.
Furthermore, over the past 12 months, Microsoft has seen a significant increase in the frequency of attacks by Chinese hacking groups. As for how the hacking is done, The Register reports Storm-0227 typically infiltrates a system by exploiting security vulnerabilities in public-facing applications and spear-fishing emails that contain contaminated links or attachments. The objective of Storm-0227 is to get a victim to click on a document that automatically downloads SparkRAT, an open-source remote administration tool that enables the controller administrative access to a machine.
“If you have the email communications that go with that file, and reference that file, and talk about what the point of it is, and why they’re using it, what it means, and why I’m sending this to you – it gives a richness to the intelligence gathering that the threat actor is doing,” she said
Once a machine is infiltrated, the hacking group begins scraping any valuable data, such as credentials to cloud applications, documents, passwords, financial records, etc.
“They’re a significant threat, particularly because they really do embody the activity of persistence,” DeGrippo said. “China continues to focus on these kinds of targets. They’re pulling out files that are of espionage value, communications that are contextual espionage value to those files, and looking at US interests.“