Avast identifies new cybersecurity threat targeting Mongolian Government data center
Published 18 December 2020
Avast, a global leader in cybersecurity and privacy software, has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Avast researchers consider a Chinese-speaking APT group to be the attacker, however, the actual objective of the group remains unknown
The likely culprit, LuckyMouse, otherwise known as EmissaryPanda and APT27, is infamous for attacking national resources and political information in China’s neighbouring countries.
Avast found out that the techniques used by the group are different from previous attacks. This time, they use both keyloggers and backdoors to gain long-term access and upload a variety of tools that they used to scan the Mongolian Government networks and dump credentials.
“The APT group Lucky Mouse has been active since Autumn 2017 and has been able to avoid Avast attention in the last two years due to their evolving techniques and marked change of tactics,” said Luigino Camastra, a Malware Researcher at Avast.
The APT group compromised the Mongolian government in two ways. First, by accessing a vulnerable service provider of the Government to gain entry into government institutions, and secondly, by sending malicious emails with weaponised documents via an unpatched CVE-2017-11882 vulnerability.
We were able to detect their new tactics to discover this campaign targeting the Mongolian government, showing how they’ve scaled their operations to be more advanced to gain longer term access to sensitive data,” added Mr. Camastra.
The finding is corroborated by Slovak security firm ESET, who found that the hackers targeted an add-on that provides instant messaging capability to a human resource management (HRM) platform by Able Software. According to the company’s website, this HRM platform is used by more than 430 Mongolian Government agencies, including the Office of President and the Ministry of Justice, among others.
Earlier this year, some Chinese-speaking APT threat actors were found to be actively targeting regional inter-governmental organisations in Asia and Africa, found Kaspersky, a Russian multinational security provider.
In Kaspersky’s report, compromised IT or managed security service providers also appear to be a potential vector of targeted delivery. The majority of the visible activity in the second quarter of 2020 appeared to be in Mongolia, Vietnam and Myanmar. The number of affected systems is estimated to be over thousands.
It appears that the scope and sophistication of government-targeted cyberattacks are increasing.