This report discusses the activities of three China-based threat clusters: Sandman, Storm-0866/Red Dev 40 [1] [3] [4] [5] [6] [7], and LuaDream [1] [3] [5] [6] [7]. These groups utilize the KEYPLUG backdoor and target telecommunication providers in the Middle East, Western Europe [3] [4] [5] [7], and South Asia [2] [3] [4] [5] [7].
Description
Sandman is an advanced persistent threat that specifically targets telecommunication providers in the Middle East [5], Western Europe [3] [4] [5] [7], and South Asia [2] [3] [4] [5] [7]. It utilizes the LuaDream implant. Storm-0866/Red Dev 40 is an emerging APT group that focuses on entities in the Middle East and South Asia [5], including telecommunication providers and government entities [1] [4] [5] [7]. Both Sandman and Storm-0866/Red Dev 40 have been linked to cybercriminals in China.
The report also mentions that Lua development practices and the use of the Keyplug backdoor appear to have been shared with a China-based threat actor known as STORM-08/Red Dev 40 [2], which has targeted telecommunication providers in the Middle East and South Asia [4] [5] [7]. KEYPLUG is a backdoor associated with Storm-0866/Red Dev 40 and was previously disclosed in attacks by the China-based APT41 actor [5]. Both LuaDream and KEYPLUG support QUIC and WebSocket protocols for command and control (C2) communications. The adoption of Lua as a programming language suggests a growing trend among threat actors to utilize less common languages in order to evade detection [5].
There are significant overlaps in operational infrastructure [3] [5], targeting [3] [4] [5] [7], and tactics [3] [5], techniques [3] [5] [6], and procedures (TTPs) between Sandman and China-based adversaries utilizing KEYPLUG [3] [5], particularly Storm-0866/Red Dev 40 [1] [3] [4] [5] [7]. Sandman leverages the KEYPLUG backdoor malware to insert another type of malware called LuaDream [6], which uses evasion and obfuscation techniques to make detection more difficult [6]. Sandman is communicating via infrastructure control and management practices typically associated with STORM-0866/Red Dev 40 [6].
Researchers have discovered that Sandman and the China-based threat cluster, Storm-0866/Red Dev 40 [1] [3] [4] [5] [6] [7], share infrastructure control and management practices [1] [4] [5] [6] [7], as well as domain naming conventions [4]. The Lua-based malware LuaDream and KEYPLUG have been found to cohabit in the same victim networks [4], indicating shared development practices and overlaps in functionalities and design [2] [4] [5].
Sandman [1] [3] [4] [5] [6] [7], exposed by SentinelOne in September 2023 [4], targeted telecommunication providers in the Middle East [4] [5] [7], Western Europe [3] [4] [5] [7], and South Asia using the LuaDream implant [3] [4] [5]. Storm-0866/Red Dev 40 primarily targets entities in the Middle East and South Asian subcontinent [4], including telecommunication providers and government entities [1] [4] [5] [7]. KEYPLUG [1] [3] [4] [5] [6] [7], a backdoor used by Storm-0866 [4] [5], was first disclosed by Mandiant as part of attacks by the China-based APT41 actor [4]. The researchers also noted commonalities between LuaDream and KEYPLUG [4], such as the use of QUIC and WebSocket protocols for C2 communications [4]. The adoption of Lua as a programming language suggests that threat actors are increasingly using uncommon languages to evade detection [4] [5].
Conclusion
The complex nature of the Chinese threat landscape is highlighted by the activities of Sandman, Storm-0866/Red Dev 40 [1] [3] [4] [5] [6] [7], and LuaDream [1] [3] [5] [6] [7]. The use of the KEYPLUG backdoor and the adoption of Lua as a programming language indicate a growing trend among threat actors to employ less common techniques to avoid detection. It is crucial for telecommunication providers and government entities in the Middle East, Western Europe [3] [4] [5] [7], and South Asia to be aware of these threats and implement appropriate mitigations to protect their networks and data. Additionally, ongoing research and collaboration are necessary to stay ahead of evolving cyber threats and ensure the security of critical infrastructure.
References
[1] https://www.matricedigitale.it/notizie/apt-sandman-cina/
[2] https://www.darkreading.com/threat-intelligence/microsoft-mystery-group-targeting-telcos-chinese-apts
[3] https://resources.rhyno.io/the-sandman-apts-secret-link-to-the-keyplug-backdoor-in-china/
[4] https://www.ihash.eu/2023/12/researchers-unmask-sandman-apts-hidden-link-to-china-based-keyplug-backdoor/
[5] https://thehackernews.com/2023/12/researchers-unmask-sandman-apts-hidden.html
[6] https://securityboulevard.com/2023/12/report-sees-chinese-threat-actors-embracing-sandman-apt/
[7] https://teknomers.com/2023/12/11/arastirmacilar-sandman-aptnin-cin-merkezli-keyplug-arka-kapisiyla-gizli-baglantisini-ortaya-cikardi/