A Chinese hacking group, known as APT15 has been identified by Symantec as targeting foreign affairs ministries in the Americas. The group utilizes a new backdoor called Graphican as part of an attack campaign spanning late 2022 to early 2023.
The motivation behind these attacks appears to be intelligence gathering with a likely geopolitical motive.
Key Takeaways:
Table of Contents
- APT15, a Chinese hacking group, is targeting foreign ministries in the Americas with the Graphican backdoor.
- APT15 utilizes a sophisticated toolset and exploits vulnerabilities to gain unauthorized access and extract credentials.
- The group’s activities indicate a likely geopolitical motive, with a focus on intelligence gathering.
APT15’s sophisticated attack campaign
APT15, also known as Flea, KE3CHANG, Nickel, Playful Dragon, Royal APT, and Vixen Panda, has been active since 2004.
The group is well-resourced and likely sponsored by the Chinese government. Their recent campaign involves targeting governments, diplomatic missions, human rights organizations, embassies, and think tanks across various regions.
Graphican backdoor and toolset
APT15 employs the Graphican backdoor, which shares functionality with the previously used Ketrican backdoor. Graphican utilizes the Microsoft Graph API to connect to OneDrive and retrieve command-and-control information.
Additionally, the group utilizes multiple living-off-the-land tools, web shells, and publicly available tools to carry out their attacks.
Exploiting vulnerabilities and extracting credentials
APT15 takes advantage of known flaws, such as the critical vulnerability CVE-2020-1472 (Zerologon), to gain unauthorized access to targeted networks.
Their toolset enables them to steal email messages, dump Windows credentials, escalate privileges, and exploit vulnerabilities in various applications.
APT15’s Targeted Attack on Foreign Ministries
Symantec’s findings highlight APT15’s targeting of foreign affairs ministries in the Americas through their Graphican backdoor.
The campaign, which took place from late 2022 to early 2023, involved the use of multiple tools, including the Graphican backdoor, Ewstew backdoor, and various publicly available tools.
By exploiting vulnerabilities and extracting credentials, the group aims to gain persistent access to the networks of their targets for intelligence-gathering purposes.
Conclusion
The activities of APT15, a well-resourced Chinese hacking group, have raised concerns as they target foreign affairs ministries in the Americas. Their utilization of the Graphican backdoor, along with other sophisticated tools, demonstrates their ability to carry out persistent and covert attacks.
It is crucial for organizations, especially those in the targeted sectors, to strengthen their cybersecurity defenses and remain vigilant against such advanced threats.
