Share this article on:
Countries and leaders who met for the G7 summit last month have drawn the attention of what are believed to be China-based hackers.
The threat actors behind the malicious activity launched a scam email campaign posing as the Indonesian ministries of foreign and economic affairs, targeting the countries of France, Singapore, the United Kingdom, and Australia.
The G7 (Group of Seven) is made up of Australia, Brazil, the Cook Islands, Comoros, India, Indonesia, the Republic of Korea, Ukraine, and Vietnam. The meeting of the seven nations last month occurred in Hiroshima, Japan.
Hackers attached a document to the emails sent to the victim nations’ leaders that imitated action statements and security points from the G7 meeting, pushing several of China’s policy points.
The email also attempted to convince leaders to download malicious software, with the goal of espionage and collecting classified information.
When the attacked document is opened, an infostealer malware is installed, capable of monitoring network activity, collecting passwords, tracking keystrokes and granting the hackers with remote access.
Analysts from cyber security organisation SentinelOne speaking with the AFR have said that while it is unable to conclude that the hacking group was backed by the country’s communist government, it was able to detect signs that the threat actors were based in China, based on the software writer used and techniques they used.
“We’ve tracked it back to previous TTP [tactics, techniques, procedures] known to be associated with Chinese groups,” said SentinelOne vice-president of cyber threat response and former USB FBI senior digital forensic analyst Brian Hussey.
“But as we really dug into it, the type of exploit used, the name of the files and the forensic artefacts left on the system were very similar, or even identical, to previously identified Chinese-based attacks.”
SentinelOne identified that the code featured in the emails was written using the RoyalRoad software writer, which is often connected with China- and Russia-based hackers.
Hussey said that SentinelOne’s identification and research of the email campaign led them to conclude that China was behind the attacks, adding: “If it’s an intel organisation, they’re likely looking for locations of high-level targets, what they’re doing, what their emails are producing intel gathering or, if it’s financially motivated, they’re looking for ransomware or other kind of financial motivations.”
“What leads us to China, it starts with the victimology, so whose being targeted? These government officials.”
He added that the hacking attempt was well funded and would have required the effort of a large team of people, alluding to the threat actors being more than your usual cyber criminal organisation.
The G7 attack has contributed to concerns that other national alliances, such as the Quad Nations, may be under threat.
According to the Australian Cyber Security Centre speaking with the AFR, the increased frequency of state-backed cyber attacks was concerning.
“The Australian Signals Directorate’s Australian Cyber Security Centre provides technical advice and strategies to mitigate cyber security incidents caused by various cyber threats, including those conducted by advanced persistent threats such as state actors,” the spokesperson told the AFR.
“The Australian government will continue to deter and respond to malicious actors threatening our national interests, including attributing malicious cyber activity when it is in our interests to do so.”
This comes after a government crisis group was developed by Home Affairs, led by the Attorney-General’s Department last week, following the concern that several government agencies may have been affected by the HWL Ebsworth hack.
On top of the prior announcement that the Office of the Australian Information Commissioner (OAIC) was affected by the HWL Ebsworth data breach, a number of government agencies, including the Australian Federal Police (AFP), Australian Taxation Office (ATO), the Commonwealth Director of Public Prosecutions, the Department of Defence and the Department of Home Affairs, were also reportedly affected.