Chinese hackers launch new attacks to hit targets in India and Hong Kong, say researchers

A new variant of MgBot malware was used in latest attacks

Chinese hackers have intensified cyber attacks against government agencies and other institutions in India and Hong Kong in efforts to damage their reputation or to steal sensitive information from their systems.

That's according to the researchers from cyber security firm Malwarebytes, who noticed the fresh attacks in the first week of July, coinciding with India's ban of 59 Chinese apps over security issues and enacting of contentious security law in Hong Kong.

The researchers said they are moderately confident that a new Chinese advanced persistent threat (APT) group is behind these attacks.

The researchers discovered the first variant on 2nd July. It was an archive file that came with an embedded document pretending to be from the government of India. The message alerted recipients that their email account had been compromised and they need to complete a security check before 5th July.

When opened, the document employed a template injection to download a remote, malicious template which eventually executed a variant of Cobalt Strike malware.

According to researchers, the group changed the template next day, this time dropping a loader called MgBot, which injected the final payload using the Application Management (AppMgmt) Service on Windows.

On 5th July, the attackers observed another version of the attack, this time using a totally different embedded document. The document purported to contain a statement about Hong Kong from British Prime Minister Boris Johnson, allegedly promising to offer British citizenship to nearly three million people living in Hong Kong.

The researchers said they were able to track the activities of the group over the succession of several days based on unique phishing attempts designed to compromise their target.

Since 2016, India has been the sixth most targeted country by China-based threat groups, according to cyber security firm FireEye. India follows the US, South Korea, Hong Kong, Germany and Japan in the list.

Indian Computer Emergency Response (CERT-In) said last years that nearly 35 per cent of all cyber attacks on Indian sites in 2018 had originated from China.

Last month, researchers from cyber security firm CYFIRMA warned Indian authorities that Chinese hackers are planning to attack leading organisations like Airtel, Jio, and Cipla in order to "teach India a lesson".

CYFIRMA said that the activity of Chinese hackers on the dark web and various hacking forums had increased following India-China border dispute in Galwan Valley in June. The firm warned that Chinese groups like Gothic Panda and Stone Panda could hack into various India commercial organisations to damage their reputation and to steal any confidential data from their systems.

On Tuesday, the US Justice Department indicted two Chinese nationals, accusing them of trying to steal intellectual property and coronavirus vaccine research from firms based in the US and other countries.

The indictment claimed that the Chinese hackers were assisted by China's Ministry of State Security and attempted to hack into defence contractors, health care firms, medial research institutions, universities, maritime engineering firms, human rights activists and a range of other targets in western countries.