Japan’s Industries Targeted by Hackers Employing Backdoors

Share the Post:

APT10, also known as Stone Panda, Cicada, POTASSIUM, and Red Apollo, was found to be behind a series of cyberattacks targeting industry sectors in Japan as part of a large, long-running campaign against the Asian country.

By using novel malware, APT10 attacked companies deploying malicious backdoors in a sophisticated fashion. With these backdoors, the group aimed to extract sensitive data related to Japan’s industry sectors.

Not only organizations based in Japan were affected by this malicious campaign but also companies with links to Japan in more than 17 different countries.

Kaspersky’s Findings

These cyberattacks, recently disclosed as part of a multi-year campaign carried out by APT10, were using undocumented malware with the purpose of creating backdoors in infected networks. SodaMaster, P8RAT, and FYAnti payloads were identified as part of the arsenal.

This intel-gathering operation has been running for a few years now, existing evidence of its kickstart dated March 2019. The initial intrusion in victims’ networks occurred via SSL-VPN abuse, exploiting vulnerabilities or by simply using stolen credentials.

Kaspersky researchers pointed out that Ecipekac malware was used as a central asset all across the entire operation. This malware works by using four files to “load and decrypt four fileless loader modules one after the other”, this concluding with the upload of a final payload into the memory, according to the report.

It was also known that SodaMaster and P8RAT payloads, for example, were used to download and execute payloads in targeted systems. The FYAnti payload mentioned before was also employed. This one is a multi-layer loader module that deploys a QuasarRAT or xRAT final-stage remote access Trojan.

Threat Assessment

Suguru Ishimaru, one of the Kaspersky researchers involved in the findings, stated that the campaign carried out by APT10 was high-end work. “The operations and implants of the campaign (…) are remarkably stealthy, making it difficult to track the threat actor’s activities,” he said in the report.

Experts from Kaspersky agreed that the APT10’s campaign against Japanese industry organizations shows notable skill and sophistication, with stealth fileless implants, anti-VM, successful removal of activity tracks, and more.

The long-running campaign covering 17 different regions was definitely gathering intelligence with success. The sectors involved in the campaign that have been identified so far are managed service providers, automotive, pharma, and engineering.

However, this cyberespionage group, known under many other names by experts and official authorities, has been operating for a long time. There is evidence of espionage operations carried out by this group since 2009.

What is more notable is that the group has been officially linked to the Chinese government by US officials. In their track record, we can also see that APT10 is also known for their recurrent campaigns against Japanese organizations and high-profile individuals, so this new finding doesn’t reveal anything new about the group’s goals and motivations to target this country, especially understanding that they are backed by China. 

Related Posts

Colonial Pipeline Hack: What We Know So Far

On May 7th, Colonial Pipeline experienced a significant cyberattack that resulted in a total shutdown of its operations, leading to widespread fuel shortages. Shortly thereafter, it became evident that the incident involved ransomware, with reports indicating that the company made a payment of nearly US$5 million to the attackers, which contradicted their public statements. The cybercriminal organization, known as DarkSide, issued an atypical apology, asserting that their motive was profit rather than chaos. As Colonial Pipeline initiates the process of resuming operations, developments concerning DarkSide follow a surprising trajectory. Explore the complete narrative behind this critical cyber incident and its broader implications.

Read More

Ransomware attack halts Sierra Wireless Production Activities

Sierra Wireless, a leader in internet-of-things solutions, recently fell victim to a significant ransomware attack that brought its production activities to a standstill. The incident, which began on March 20th, not only disrupted manufacturing but also affected internal operations and the company’s website. As the team works diligently to restore systems, questions loom about the potential impact on customer data and the overall financial repercussions. With cybersecurity protocols in place, the company remains tight-lipped about the specifics of the attack. Discover how this incident reflects the growing threat of ransomware in today’s digital landscape.

Read More