Chinese hackers hit government systems, stealing emails and more - here's what we know

Abstract Futuristic Red Shinny Digital Hud Square Elements Mosaic Grid Map Of China Flat Screen With Horizontal Light

(Image credit: Shutterstock)

Phantom Taurus targeted diplomatic entities in South Asia and the Middle East using NET-STAR malware
Unit 42 attributes the group to China based on tactics, infrastructure, and strategic targeting
Victims include Afghanistan and Pakistan - and more may be coming

Chinese state-sponsored threat actors named Phantom Taurus have been seen targeting email communications and databases belonging to different countries in the Middle East and South Asia with brand new malware.

Security researchers from Unit 42 have been tracking the threat actor for years, and have come to the conclusion the attackers were sponsored by China, based on a combination of technical indicators, targeting patterns, and strategic alignment.

The experts observed the group targeting ministries of foreign affairs, embassies, and government entities, all typical victims of nation-state intelligence operations.

The group also used custom backdoor malware called NET-STAR which was sophisticated in the way only a nation-state could develop.

“The NET-STAR malware suite demonstrates Phantom Taurus’ advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers,” the researchers explained.

Phantom Taurus also apparently shares infrastructure, malware traits, and tactics with known Chinese APTs, particularly BackdoorDiplomacy. C2 domains, malware loaders, and similar spear-phishing techniques, all made Unit 42 deduce Phantom Taurus was a Chinese actor.

They have now placed it next to other “tauruses” - Iron Taurus, Starchy Taurus, and Stately Taurus. The latter is also known as Mustang Panda and is a widely known threat actor, who was seen targeting Microsoft tools, cloud services, and more.

Unfortunately, we don’t know exactly how Phantom Taurus infects its victims with NET-STAR. We can only assume it includes the usual tactics such as spear-phishing or zero-day vulnerability abuse. We do know, however, that its victims are located in Afghanistan and Pakistan.

China, as usual, denies any wrongdoing or any involvement in cyberattacks or cyber-espionage, and instead accuses the United States of being the world’s biggest “cyber-bully”.

Via The Register

A major FBI operation has deleted Chinese malware from thousands of US computers
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Sharing infrastructure

You might also like