A novel long-running espionage operation targeting new geographies has been ascribed to a Chinese state-backed advanced persistent threat (APT) organization renowned for singling out Japanese businesses, implying a “widening” of the threat actor’s targets. Cicada, also known as Bronze Riverside, APT10, Potassium, Stone Panda, or MenuPass Team, has been linked to the broad incursions, which are thought to have started at the earliest in mid-2021 and persisted as recently as February 2022.
“Victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America,” researchers from the Symantec Threat Hunter Team, part of Broadcom Software, said in a report.
According to Brigid O. Gorman, senior information developer at the Symantec Threat Hunter Team, there is a heavy focus on victims in the government and NGO sectors, with some of these groups working in the fields of religion and education. Most victims are based in the US, Canada, Montenegro, Hong Kong, India, Turkey, Israel, and Italy, with one victim in Japan, with the enemy spending up to nine months on their networks. He also said that there are some victims in the telecommunications, legal, and pharmaceutical sectors, but the primary targets of the campaign have been government and non-profit entities.
Kaspersky researchers unveiled an intelligence-gathering operation involving the deployment of information-gathering implants from various industry sectors in Japan in March 2021. Stone Panda was then implicated in a coordinated supply chain attack directed at Taiwan’s banking industry to collect sensitive information from compromised devices. The perpetrators in the current wave of cyberattacks detected by Symantec obtain initial access through a known, unpatched vulnerability in Microsoft Exchange Servers, which they then use to deliver their preferred backdoor, SodaMaster.
SodaMaster is a Windows-based remote access trojan (RAT) with characteristics that make it easier to retrieve additional payloads and exfiltrate data back to its command-and-control (C2) server. The Mimikatz credential dumping software, WMIExec for remote command execution, NBTScan for internal reconnaissance, and VLC Media Player to execute a custom loader on the infected host were also used during the infiltrations.