March 28, 2023
A notorious Chinese cyberespionage group has been spotted targeting a data loss prevention (DLP) company that serves military and other government organizations. Cybersecurity firm ESET analyzed the attack, which it managed to trace back to March 2021. Over the course of more than a year, the hackers conducted activities within the network of the targeted…

A notorious Chinese cyberespionage group has been spotted targeting a data loss prevention (DLP) company that serves military and other government organizations.

Cybersecurity firm ESET analyzed the attack, which it managed to trace back to March 2021. Over the course of more than a year, the hackers conducted activities within the network of the targeted organization.

The victim is a DLP software development company located in an unnamed East Asian country. ESET’s report does mention possible links to a different attack aimed at South Korean companies and individuals, but it’s unclear if the DLP firm is from the same country. 

Tick, also known as Bronze Butler and RedBaldKnight, has been around since at least 2006, mainly targeting entities in the APAC region with the goal of stealing intellectual property and classified information. The hackers have been known to use sophisticated methods — including zero-day vulnerabilities — in their attacks.

ESET has attributed the attack on the DLP company to Tick with high confidence, primarily based on the use of malware that is unique to this APT.

The attackers deployed three pieces of malware during this operation, including a new downloader named ShadowPy.

One interesting aspect of the attack observed by ESET is the fact that the hackers compromised update servers and tools used by the victim, but they apparently leveraged them to spread laterally within the company’s environment rather than for conducting a supply chain attack targeting its customers.

ESET did identify two customers who had received trojanized installers developed by the attackers, but researchers believe these malicious installers were transferred to the customers by mistake by the DLP firm’s employees during tech support activities rather than being distributed by the attackers. 

“Using ESET telemetry, we didn’t identify any customers of the DLP company who had received any malicious files through the software developed by that company,” ESET said.

Related: Custom Chinese Malware Found on SonicWall Appliance

Related: EU Organizations Warned of Chinese APT Attacks

Related: Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT

Source