China’s APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe

A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems.

Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called APT31, which is also tracked under the monikers Bronze Vinewood, Judgement Panda and Violet Typhoon (formerly Zirconium), citing commonalities in the tactics observed.

The attacks entailed the use of more than 15 distinct implants and their variants, broken down into three broad categories based on their ability to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure.

“One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe,” Kaspersky said.

“The other type of implant is designed for stealing data from a local computer and sending it to Dropbox with the help of the next-stage implants.”

One set of backdoors includes various versions of a malware family called FourteenHi that have been put to use since at least mid-March 2021 and which come with a broad spectrum of features to upload and download arbitrary files, run commands, start a reverse shell, and erase their own presence from the compromised hosts.

A second first-stage backdoor used for remote access and initial data gathering is MeatBall, which possesses capabilities to list running processes, enumerate connected devices, perform file operations, capture screenshots, and self-update itself.

Also discovered is a third type of first-stage implant that makes use of Yandex Cloud for command-and-control, mirroring similar findings from Positive Technologies in August 2022 detailing APT31 attacks targeting Russian media and energy companies.

“The tendency to abuse cloud services (e.g., Dropbox, Yandex, Google, etc.) is not new, but it continues to expand, because it is hard to restrict / mitigate in cases when an organization’s business processes depend on using such services,” Kaspersky researchers said.

“Threat actors keep making it more difficult to detect and analyze threats by hiding payloads in encrypted form in separate binary data files and by hiding malicious code in the memory of legitimate applications via DLL hijacking and a chain of memory injections.”

APT31 has also been observed utilizing dedicated implants for gathering local files as well as exfiltrating data from air-gapped systems by infecting removable drives.

The latter malware strain consists of at least three modules, with each component responsible for different tasks, such as profiling and handling removable drives, recording keystrokes and screenshots, and planting second-step malware on newly connected drives.

“The threat actor’s deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking [underscore] the sophistication of their tactics,” Kirill Kruglov, senior security researcher at Kaspersky ICS CERT, said.

“Although exfiltrating data from air-gapped networks is a recurrent strategy adopted by many APTs and targeted cyberespionage campaigns, this time it has been designed and implemented uniquely by the actor.”

While the aforementioned attack chains are expressly engineered for the Windows environment, there is evidence that APT31 has set its sights on Linux systems as well.

Earlier this month, the AhnLab Security Emergency Response Center (ASEC) uncovered attacks likely carried out by the adversary against South Korean companies with the goal of infecting the machines with a backdoor called Rekoobe.

“Rekoobe is a backdoor that can receive commands from a [command-and-control] server to perform various features such as downloading malicious files, stealing internal files from a system, and executing reverse shell,” ASEC said.

“While it may appear simple in structure, it employs encryption to evade network packet detection and can perform a variety of malicious behaviors through commands from the threat actor.”