An anonymous Chinese-language-speaking hacker gang successfully penetrated systems holding content related to China’s National Games last year. According to cybersecurity company Avast, which examined the breach, the attackers got access to a web server 12 days before the event’s commencement on September 3 to drop many reverse web shells for remote access and create a permanent footing in the network.
The National Games of China is a multi-sport event hosted every four years. It was conducted in Shaanxi Province from September 15 to September 27, 2021. The Czech firm claimed it could not ascertain the nature of the data acquired by the hackers but that it had “reason to believe [the attackers] are either native Chinese-language speakers or show high fluency in Chinese.” The breach was believed to have been resolved before the beginning of the games.
The first access was made possible by exploiting a webserver vulnerability. However, before deploying the web shells, the adversary tested the files that could be sent to the server, only to follow up by sending executable malware disguised as seemingly innocent picture files. Moreover, the operators “uploaded and ran an entire Tomcat server properly configured and weaponized” with the post-exploitation tool after failing to alter the server to execute the Behinder web shell.
“After gaining access, the attackers tried to move through the network using exploits and bruteforcing services in an automated way,” as said by Avast researchers Jan Neduchal and David Álvarez Pérez. A network scanner and a unique one-click exploitation framework written in Go were among the tools uploaded to the server, allowing the threat actor to perform lateral movement and autonomously break into additional devices on the same network.
“Go is a programming language becoming more and more popular which can be compiled for multiple operating systems and architectures, in a single binary self-containing all dependencies,” said researchers, calling out the employment of Go-based malware to conduct cyberattacks. “So we expect to see malware and grey tools written in this language in future attacks, especially in [Internet of things] attacks where a broad variety of devices leveraging different kinds of processor architectures are involved.”