Chinese state-sponsored threat group APT31, also known as Judgment Panda, Violet Typhoon, and Bronze Vinewood, has been suspected of targeting industrial entities across Eastern Europe in air-gapped system attacks last year, The Hacker News reports.
Over 15 different implants have been leveraged by APT31 in the multi-stage attacks, according to a Kaspersky report. Aside from utilizing different versions of the FourteenHi malware family to facilitate arbitrary file uploads and downloads and command execution, APT31 has also used the MeatBall malware and another payload that exploits Yandex Cloud for command-and-control as its other initial-stage backdoors.
Meanwhile, other implants have been used to enable local file connection and data exfiltration from air-gapped systems.
"The threat actor's deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking [underscore] the sophistication of their tactics. Although exfiltrating data from air-gapped networks is a recurrent strategy adopted by many APTs and targeted cyberespionage campaigns, this time it has been designed and implemented uniquely by the actor," said Kaspersky ICS CERT Senior Security Researcher Kirill Kruglov.