SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Apple
#
Technology Gifts
#
Australian
China-aligned hackers exploit religious festival to spy on global Tibetans
Thu, 14th Mar 2024
Author image
By Kaleah Salmon, Journalist
Follow us

ESET Research, a prominent figure in the sphere of IT security, has unearthed a cyberespionage campaign that exploited a religious gathering, the Monlam Festival, to encroach upon and spy on Tibetans in several locations globally with high assurance tracing this operation back to the China-aligned Evasive Panda Advanced Persistent Threat (APT) group.

The cybercriminals managed to infiltrate the website of the annual festival's organizer in India, embedding a malicious code to create a watering-hole attack targeted at users connecting from particular networks. ESET also revealed that the attackers successfully compromised a software developer's supply chain, serving trojanized installers for both Windows and macOS users.

The full roster of tools utilized for this exercise included several malicious downloaders and comprehensive backdoors, one of which was an all-new, publicly undocumented one for Windows named 'Nightdoor'. The cyberespionage campaign cast a wide net, targeting users situated in India, Taiwan, Hong Kong, Australia, and the United States, including Georgia Tech.

Anh Ho, the ESET researcher who discovered the cyber intrusion, stated, "The attackers fielded several downloaders, droppers, and backdoors, including MgBot — which is exclusive to Evasive Panda — and Nightdoor, the latest significant addition to the group’s toolkit that has been used to target several networks in East Asia. The Nightdoor backdoor, used in the supply-chain attack, is a recent addition to Evasive Panda’s repertoire."

Ho revealed that the earliest version of Nightdoor that they could track dated back to 2020 when Evasive Panda launched it onto the machine of a significant target in Vietnam. Following this discovery, ESET has requested that the Google account linked to its authorization token be withdrawn.

Evasive Panda, also known as BRONZE HIGHLAND or Daggerfly, is a China-allied APT group conversant in Chinese, with activities tracing back to at least 2012. ESET Research has noted Evasive Panda conducting cyberespionage on individuals in mainland China, Hong Kong, Macao, and Nigeria. Apart from these, targets also included government entities in Southeast and East Asia, specifically China, Macao, Myanmar, The Philippines, Taiwan, and Vietnam. Other attacked organizations were in China and Hong Kong.

The group utilises a custom malware framework with a modular architecture. Its backdoor, known as MgBot, receives modules to enhance its spying capabilities. Eset has also observed since 2020 that Evasive Panda has the capacity to deliver its backdoors via adversary-in-the-middle attacks, hijacking updates of legitimate software.

Related stories
Ransomware threats escalating in Southeast Asia – report
Yahoo ventures into CTV space with Yahoo Identity Solutions
Ransomware activity spikes 20%, hospitals now in crosshairs
Half of online traffic in 2024 generated by bots, report finds
Understanding the key to boosting cybersecurity habits: Kaspersky study
Top stories
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity
Record ransomware attacks in March 2024, report finds