Suspected Chinese Hackers Hack Southeast Asian Government Departments, Target Uighurs Overseas

Israeli cybersecurity firms say hackers suspected of being from China have been trying to break into government systems in a Southeast Asian country in a “phishing” campaign. At the same time, hackers have been trying to steal information from Uighur computer systems inside and outside of China by spoofing UN documents.

The latest analysis, published Thursday (June 3) by CPR, the research arm of Israel’s Check Point software technology company, did not reveal which Southeast Asian country the attacked government department was in. The report said hackers posed as government employees and sent e-mails with Microsoft docx documents to government employees in that country. Once users opened the documents, the computers continued to download files containing malicious tools from an external server designated by the hackers.

The malicious tool, called “RoyalRoad” (meaning “royal road”), is often used in Chinese hacking circles, the report said. The tool exploits a security flaw in an older version of Microsoft Equation Editor.

The CPR report said the hackers went through multiple steps to eventually install a backdoor module in the target user’s computer. The backdoor can delete, create, rename, read, and rewrite files on a user’s computer, obtain information about the computer, take screenshots of the computer, and even shut down the computer, the report said.

CPR researchers believe the hacking group has been testing and enhancing this attack strategy for at least three years. The report said researchers were “moderately” to “highly” confident that the hackers were from China.

In addition to the association of the “Royal Road” malware with the Chinese hacker community, the report said, the attacker’s activity was timed to coincide with Chinese business hours; there was no activity between May 1 and 5, which could be related to the Labor Day holiday in China; and the test version of the backdoor program detected networking status by trying to connect to China’s Baidu website. by attempting to connect to Baidu’s website in China; certain backdoor versions uploaded from China can also be found on VirusTotal, a cybersecurity analysis service website.

Earlier, in another study released May 27, the cybersecurity firm said that hackers suspected of coming from China used phishing to fake UN documents and lure Uighurs in China and Pakistan to download and click on malicious programs and links.

The investigation, conducted by CPR in collaboration with Kaspersky’s global research and analysis team, found that hackers sent Uyghur users counterfeit files with the UN Human Rights Council logo as a medium to install backdoor programs.

The hackers also pointed users to a fake website called the Turkic Culture and Traditions Foundation, where if they clicked on the “apply for funding” link, they were asked to perform a so-called security scan, a step that would allow the hackers to access information on the user’s system.

Lotem Finkelstein, director of Check Point’s Cyber Threat Intelligence Working Group, told Voice of America via email, “The novelty of this attack strategy is that the hackers exploit the target’s feelings of persecution to deceive them. Hackers design this attack to lure victims into scanning their computers before they get to the phishing site’s charitable fund page, causing them to execute malware posing as an antivirus scan program.”

Finkelstein said that while it is not certain that the attack in question was a cyberattack by the Chinese government, the likelihood that it came from a Chinese civilian source is high.

Finkelstein said, “Over the years, especially in this age of nationalism, we have seen more and more civilian hacker groups involved in actions that are considered to be of national interest …… While we cannot ultimately point to China (the government), we can attribute it to Chinese hackers. Because we know that the most fundamentally relevant code can actually be found on Chinese language forums, we generally believe that the government would not use any of this stuff.”

The CPR report said this phishing-style attack against the Uyghur community was most active in 2020, but is still ongoing. The researchers said they found that hackers are creating phishing sites posing as government departments in Turkey and Malaysia, suggesting that hackers may be planning future offensives against Uyghur groups in those two countries.