Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign 

A South Asian espionage group named Bitter has been targeting the Chinese nuclear energy sector.

A South Asian advanced persistent threat (APT) actor has been targeting the nuclear energy sector in China in a recent cyberespionage campaign, Intezer reports.

Dubbed ‘Bitter’ and active since at least 2021, the group is known for the targeting of energy and government organizations in Bangladesh, China, Pakistan, and Saudi Arabia, and is characterized by the use of Excel exploits, and Microsoft Compiled HTML Help (CHM) and Windows Installer (MSI) files.

Continuing to target Chinese organizations, the group used updated first-stage payloads in the recently observed espionage campaign, added an extra layer of obfuscation, and employed additional decoys for social engineering.

The Bitter APT targeted recipients in China’s nuclear energy industry with at least seven phishing emails impersonating the embassy of Kyrgyzstan in China, inviting them to join conferences on relevant subjects.

The recipients were lured into downloading and opening an attached RAR archive containing CHM or Excel payloads designed to achieve persistence and fetch additional malware from the command-and-control (C&C) server.

Observed Excel payloads contained an Equation Editor exploit designed to set a scheduled task to download a next-stage EXE file, and another task to execute the payload.

CHM files, on the other hand, can be used to simply execute arbitrary code with low user interaction, even if a vulnerable iteration of Microsoft Office is not installed, and the Bitter APT used multiple such files in this campaign.

One of the identified variants creates a scheduled task to execute a remote MSI payload using msiexec. While investigating the attack chain, Intezer was only served empty MSI files, which the attackers could use for reconnaissance and which could be swapped with an actual payload if the target is deemed promising.

Advertisement. Scroll to continue reading.

A second version of the CHM file was observed performing similar activity using an encoded PowerShell command stage.

“Bitter APT do not appear to change their tactics too much, therefore we can assume that the payloads will be similar to those observed in 2021, executing a downloader module that can be served with plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer,” Intezer notes.

Related: New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries

Related: Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

Related: Military Organizations in Pakistan Targeted With Sophisticated Espionage Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...