Chinese cybercriminals attack electric companies, water treatment plants and more critical infrastructure

A China-based group of threat actors is deploying an attack campaign against critical infrastructure in South Asia to compromise industrial control systems and extract sensitive information. Unfortunately, attacking critical infrastructure has become a common practice for organizations in these territories.

A Symantec report notes that its threat analysis division detected multiple attacks launched by a specific group against four critical infrastructure organizations in a South Asian country that will remain non-mentioned. The operation appears to be aimed at intelligence gathering, and would have started in November 2020, remaining active until early 2021.

According to the report, the IP addresses, malware used in the attacks and the location of the victims suggest that all four organizations were attacked by the same group. Some evidence suggests that the hackers are based in China, though researchers ruled out attributing this campaign to a specific group, at least for now.

Specifically, the hackers targeted a water company, an energy company, a communications company, and a national defense organization. At the moment it is unknown what information the hackers managed to steal, although more could be known about it after carefully analyzing the affected computers.

 For example, in the attack on the water company, hackers gained access to a machine involved in designing SCADA systems, suggesting that they may have had an interest in such systems. In the case of the power company, an infected device was used for the engineering design.

The group also abused some legitimate tools to achieve its goals, including Windows Management Instrumentation (WMI), ProcDump, PsExec, PAExec, and Mimikatz. Threat actors also abused a free media player for DLL hijacking and possibly Google Chrome Frame, a legitimate Internet Explorer plugin.

Eventually, hackers used backdoors and keyloggers, tools that allowed cybercriminals to steal credentials and other sensitive information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.