Chinese Hacking Group Targeted Governments In Six Countries (Nov 4, 2019)
Newly discovered Advanced Persistent Threat (APT) group “Calypso”, has been targeting government bodies in various countries since 2016. Discovering the group in March, researchers at Positive Technologies found government agencies in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey had been targeted. The group typically infiltrate networks by exploiting a Windows SMB vulnerability, “CVE-2017-0143”, or by using stolen credentials. The Calypso backdoor and Remote Access Trojan (RAT), the namesake of the group, is then deployed. The backdoor enables the actors to execute commands, and upload malware/utilities such as EternalBlue allowing them to move laterally through the network. Using legitimate tools, the group is able to evade detection in order to steal sensitive information. Positive Technologies state the APT group are likely based in Asia, hace Chinese-language abilities, and utilized a Chinese IP address.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. As this story portrays, patch-maintenance policies are crucial and can assist your company in being protected by threat groups that utilize older vulnerabilities to gain initial access to a target’s network.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.