14 DAY TRIAL // Security researchers from ThreatConnect’s Intelligence Research Team (TCIRT) say they’ve identified a cyber espionage campaign launched by China against Mongolia.
More precisely, it appears that China is trying to learn as much as it can about Mongolia’s relations with the European Union and countries such as the United States, South Korea and Japan. The campaign targets not only entities from Mongolia, but also ones that have economic, diplomatic or military relations with the country.
According to experts, the attacks start with a maliciously crafted Microsoft Word document apparently containing an official unclassified announcement regarding the Khaan Quest 2014 joint US and Mongolia military exercise. The file purports to come from the United States Army Pacific (USARPAC) unit.
When the document is opened, an old Microsoft Office vulnerability is exploited and a piece of malware is dropped onto the targeted computer.
In addition to the Khaan Quest 2014 document, the attackers also use a fake announcement that purports to come from Mongolia’s Ministry of Defense regarding training with the Vietnamese military.
The command and control (C&C) servers used by the malware are located in Hong Kong.
After analyzing the contact details used to register the C&C domains and subdomains, researchers have come across one email address that was mentioned in a 2008 academic research paper called “Research on P2P File Sharing Anti-Pollution Strategy.”
The author of the paper is one Chinese woman named “Yun Yan,” a doctorate research student in the Department of Electronic and Information Engineering at the Dalian University of Technology in China.
Evidence suggests that the piece of malware used by these attackers has also been utilized by the notorious Chinese hacker group known as APT1 or Comment Crew. However, experts say this doesn’t necessarily mean that the two crews are linked or associated.