Critical Infrastructure Security

Chinese Espionage Group Active Across Eastern Europe

Kaspersky Says APT31 Targeted Industrial Organizations for Spying
Chinese Espionage Group Active Across Eastern Europe
An aerial view of the oil storage facility in Varna, Bulgaria (Image: Getty)

A Chinese state-sponsored hacking group likely deployed more than a dozen malware variants to target critical infrastructure across Eastern European as part of an espionage campaign, warns security firm Kaspersky.

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

In a report analyzing the group's activities, Kaspersky researchers uncovered 15 malware variants used by the group since 2022 to target industrial organizations across Eastern Europe.

Kaspersky attributed the activity, with medium to high confidence, to APT31, also known as Violet Typhoon - formerly Zirconium - and Judgment Panda. The group specializes in intellectual property theft. Security researchers from Mandiant said in a July report that they had spotted APT31 targeting air-gapped networks to steal information for oil and gas organizations across the world.

Kaspersky said the 15 variants it examined are updated versions of the FourteenHi info stealer that was linked to the group in 2021. The group used the malware variants in "various combination" with a motive to establish a "permanent channel for data exfiltration," including from air-gapped networks, Kaspersky said.

These strains differed only in persistence capabilities; their other infection tactics remained the same. The hackers combined the variants along with a new malware backdoor dubbed MeatBall, which was used to establish remote access capabilities, the researchers said.

The hackers used cloud services such as Dropbox and Yandex Disk, as well as virtual private servers, to deploy the malware in various stages, the report says.

The first set of implants contained malware that performed reconnaissance and initial data gathering, and the hackers used the second-stage implants to exfiltrate files. Following this, the attackers used the third implants as the command and control for the malware.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.