Espionage Campaign Targeting Hong Kong Activists Discovered !

Hi everybody,

An espionage campaign targeting Hong Kong democracy activists has been discovered. This espionage campaign appears to be connected to a broader set of targets, and operations. The researchers named the two new malware families used in this campaign as UP007 and SLServer.

The Arbor Security Emergency Response Team (ASERT) was the first to discuss the UP007 malware family in “Uncovering the Seven Pointed Dagger,” this analyses a set of samples that were hosted on the national level electoral commission of Myanmar (Burma): the Myanmar Union Election Commission. In the analysis a certain malware was referred to as “unknown malware”, and based on an identifier in the network traffic, it’s called UP007. In a recent report  the use of the same malware in campaigns targeting Tibetan, Hong Kong, and Taiwanese interests, have been discussed. The recent detailed reporting by ASERT makes it clear that the UP007 malware family has been found in previous campaigns targeting Burmese interests. In addition, the campaigns share some C2 infrastructure with previous operations against targets in Thailand and the Tibetan community.

The SLServer sample is discussed in the PricewaterhouseCoopers (PwC) report . We refer to the malware as SLServer due to a resource dialog in the file. These previous reports collected samples from VirusTotal.

This research by citizenlab builds on previous reporting by more closely examining UP007 and SLServer, variations of these samples found “in the wild”, and the connections between these attacks and other campaigns. Previous reports have shown overlap in the tactics, techniques, and procedures used in this campaign in other operations targeting groups in Burma, Hong Kong, and the Tibetan community. The researchers speculate that either a single threat actor is targeting these groups or some level of formal or informal resource sharing is occurring between the operators behind the campaigns.

This post presents an analysis of the original email lure and samples used in the campaign from a targeted source, and found that both UP007 and SLServer were sent to targets in the same attack.

The research note mentions that civil society groups across Asia continue to be targeted by persistent and organized cyber espionage campaigns. Civil society often lack the resources and awareness to defend against these operations and closer attention to the threats they face is needed.

Check out the full analysis at:

Source: Akati

Comments are closed.