Asian critical infrastructure subjected to clandestine Chinese hacking campaign

Newly discovered Chinese threat operation CL-UNK-1068 has been covertly compromising telecommunications, energy, technology, pharmaceutical, government, and law enforcement organizations in South, Southeast, and East Asia, as part of a years-long hacking campaign, The Hacker News reports.

Misconfigured web servers have been exploited by CL-UNK-1068 to distribute the Godzilla and ANTSWORD webshells, achieve lateral movement, and pilfer browser history, XLSX and CSV files, and database backups, according to Palo Alto Networks Unit 42 researchers. Attackers have also weaponized Python executables to run illicit DLLs. Other tools powering CL-UNK-1068's credential theft activities include Mimikatz, LsaRecorder, DumpItForLinux, Volatility Framework, and the SQL Server Management Studio Password Export Tool.

"This cluster of activity demonstrates versatility by operating across both Windows and Linux environments, using different versions of their tool set for each operating system. While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intentions," said researchers.