Chinese Groups Attack Japanese Firms, Resurrect Old Malware

Groups linked to China continue to launch attacks at the nation’s rivals, with reports of one group targeting Japanese companies using a zero-day vulnerability and a second group exploiting its victims with a decade-old RAT.


While North Korean and Russian cyber operations have dominated the news, hackers linked to China continue to target a variety of organizations worldwide, according to two separate reports published by security firms in the last week.

One Chinese group has revived a decade-old remote access Trojan (RAT), known as “Hacker’s Door,” and begun using it in espionage operations, security firm Cylance stated in an analysis published on Oct. 17. Hacker’s Door was originally released in 2004, but has been updated and improved and is being sold online by the original author, the company stated.

A second espionage group linked to China, known as Bronze Butler, continues the nation’s strategy of economic espionage against other countries, by stealing intellectual property and confidential data from Japanese companies, security services firm SecureWorks stated in an investigation published on Oct. 13.

“Chinese groups are still very active and fairly capable,” Matthew Webster, a senior researcher with SecureWorks’ counter threat unit, told eWEEK. “If we are comparing to five years ago, I think it is fair to say there is a slight reduction in activity, but there was a large volume of attacks back then.”

While the media has focused on the rise of North Korea’s cyber operations against the United States and Russia’s extensive information operations targeting the 2016 U.S. presidential election, activity from China has garnered less attention. The People’s Republic of China, however, has continued its extensive online activities, although it is uncertain whether any of the operations violate an agreement to not conduct economic espionage against U.S. companies.

The most recent reports shed light on the fact that Chinese hackers do not mind outsourcing development of their tools to outside developers. The discovery of the Hacker’s Door RAT, for example, “shows that threat actors are comfortable relying on third-party tools to reduce development time (and) costs for malware,” Cylance stated in its analysis.

Cylance would only confirm that the tool was found inside a Western aerospace company, so it remains uncertain whether China may have violated its pledge to not attack U.S. companies with economic espionage.

“It is highly likely that this tool will continue to be uncovered as part of targeted attacks for some time, as the ease of use and advanced functionality makes ‘Hacker’s Door’ the perfect RAT for any adversary’s arsenal,” Cylance stated in the analysis. “If found within an environment it is highly advised that you arrange for a compromise assessment to determine if there are further signs of attacker activity.”

While China may be curtailing economic espionage operations against U.S. companies, the PRC is still targeting other nations’ economies. The Bronze Butler group, for example, targeted intellectual property, product specifications, and sensitive business and sales files, SecureWorks stated. The group also targets a variety of data useful to extending a network compromise, such as configuration files and email messages.

The telltale signs linking the activities to China include the use of a scanning tool created by a Chinese developer and Chinese characters in specific files, as well as a decrease in activity during the Chinese national holidays. Researchers are quick to point out that any online or digital evidence can be faked by a technical adversary.

Despite leaving behind traces of its affiliations, the group seems quite sophisticated. Japanese companies were compromised using a zero-day exploit in a desktop management system, and the infrastructure used to conduct the attacks was advanced, SecureWorks stated.

“The threat actors seemingly have the capability to develop and deploy their own proprietary malware tools,” the company stated in its analysis. “The group's command and control (C2) protocols are encrypted, presenting challenges for network defenders and incident responders.”

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...