Written by Jeff Stone
Suspected Chinese hackers who have haunted military and government targets for a generation have updated their malicious software tools to target diplomatic missions.
The Ke3chang cyber-espionage group has been active since at least 2010, researchers say, gathering intelligence about international government contractors, military organizations and breached computers used by foreign ministries before the 2012 G20 Summit, according to FireEye.
Now, there’s new evidence the group updated its tactics in a series of attacks aimed at diplomats in Belgium, Brazil, Chile, Guatemala, and Slovakia. Security specialists at the Slovakian antivirus company ESET published research Thursday demonstrating how the Ke3chang group used a technical backdoor, Okrum, and an updated version of the Ketrican malware. The hacking tools allow Ke3chang hackers to intercept information about victims, including their username, IP address, operating system and build number, their language and country name, and other communication.
ESET’s research contains findings dating back to 2015, when employees “identified new suspicious activities in European countries.” The company did not tie the hacking activity with any international events, though it did say Ke3chang “seemed to have a particular interest in Slovakia” for a number of years, especially into 2017.
The timeline roughly coincides with changing diplomatic relations between Slovakia and China, and possible investments from Beijing into Central Europe. China’s Hesteel Group, then the world’s second-largest steel producer, offered $1.5 billion for a plant in Slovakia, though the deal never went through.
The group is still active, according to ESET, with new malware samples uncovered as recently as March of this year. ESET did not attribute Ke3chang to any particular nation-state, though previous research from other firms have tied Ke3chang tools to hackers operating out of China. The group is also known as APT 15, Playful Dragon, Vixen Panda, and Thailand’s Computer Emergency Response Team has deemed it a state-sponsored operation.
Palo Alto Networks in 2016 caught Ke3chang using malware against embassy officials from India, which shares a border with China.
“Just like the other known Ke3chang malware, Okrum is not technically complex, but we can certainly see that the malicious actors behind it were trying to remain undetected by using tactics such as embedding the malicious payload within a legitimate PNG image, employing several anti-emulation and anti-sandbox tricks, as well as making frequent changes in implementation,” researchers explain in the report.
“Since the Okrum backdoor is not very technically complex, most of the malicious activity must be performed by manually typing shell commands, or by executing other available tools and software.”