December 2, 2023

A beforehand unknown government-backed hacking group is focusing on organizations within the manufacturing, IT, and biomedical sectors throughout Taiwan, Vietnam, the U.S. and an unnamed Pacific island, in line with new analysis from Symantec.

The researchers are monitoring the group underneath the title “Grayling” and mentioned in a report launched Tuesday that it’s utilizing custom-made malware in addition to publicly obtainable instruments to assault its targets.

The assaults, which started in February and continued via Could, stood out to researchers on account of using distinctive hacking instruments. The purpose of the marketing campaign is espionage reasonably than monetary motives, they mentioned.

They discovered assaults on a number of organizations within the manufacturing, IT, and biomedical sectors in Taiwan in addition to an incident involving a authorities company positioned within the pacific island. Unnamed organizations in Vietnam and the U.S. had been additionally focused as a part of the marketing campaign.

“There are indications that Grayling could exploit public dealing with infrastructure for preliminary entry to sufferer machines,” Symantec mentioned.

“The attackers take numerous actions as soon as they acquire preliminary entry to victims’ computer systems, together with escalating privileges, community scanning, and utilizing downloaders.”

The hackers used Havoc, an open-source instrument that has gained prominence amongst hackers as an alternative choice to Cobalt Strike. The instrument permits hackers to obtain extra payloads, execute instructions on sufferer machines, manipulate Home windows tokens and extra.

In the course of the assaults, Symantec noticed the hackers use a spyware and adware instrument referred to as NetSpy and exploit a well-liked Home windows vulnerability, tracked as CVE-2019-0803.

“Whereas we don’t see knowledge being exfiltrated from sufferer machines, the exercise we do see and the instruments deployed level to the motivation behind this exercise being intelligence gathering. The sectors the victims function in…are additionally sectors which are most probably to be focused for intelligence gathering reasonably than for monetary causes,” they mentioned.

“Using {custom} methods mixed with publicly obtainable instruments is typical of the exercise we see from APT teams as of late, with menace actors typically utilizing publicly obtainable or living-off-the-land instruments in makes an attempt to bypass safety software program and assist their exercise keep underneath the radar of defenders.”

Whereas Symantec declined to attribute the exercise to a selected nation, they mentioned the “heavy focusing on of Taiwanese organizations does point out that they seemingly function from a area with a strategic curiosity in Taiwan.”

In Could, the U.S. authorities and Microsoft accused Chinese language hackers of infiltrating crucial infrastructure methods and different areas round U.S. navy bases in Guam, a U.S. territory within the Pacific.

Symantec has additionally launched a number of reviews this 12 months monitoring Chinese language espionage campaigns throughout Vietnam and different Southeast Asian nations, in addition to Taiwan.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Be taught extra.

No earlier article

No new articles

Jonathan Greig

Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than shifting again to New York Metropolis, he labored for information shops in South Africa, Jordan and Cambodia. He beforehand coated cybersecurity at ZDNet and TechRepublic.