In the world of cyberespionage, hacker groups linked with China and Russia are widely considered to be some of the boldest in how they go after their targets. Over the past few years, several China-linked hacker groups have been publicly called out, especially by the U.S. government, for launching attacks against U.S. government targets and stealing classified proprietary information. However, it now appears Chinese hacker groups may have shifted focus from the U.S. to steal from other nations.

A cyberespionage group, believed to have ties with the Chinese government, was accused of hacking a U.K. government contractor. The hacker group is known by several names including APT15, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon.

According to security researchers at NCC Group, who uncovered the attack, the cyberespionage group used new tools and techniques to carry out the assault. Researchers said the hackers used a combination of several new backdoors and old malware, in efforts to remain undetected in the target’s systems for as long as possible.

"Espionage by foreign governments should not come as a shock to anyone, these days. False Flags, double bluffs and blatant denials should also be expected. These attack tools have been associated with a group that targeted foreign affairs ministries in the past. We do not know if the attack is limited to the UK at this point. The wide range of tools used suggests a requirement for many capabilities in the target network; from this, we can infer that intellectual property was the target of the attack," Andy Norton, director of threat intelligence at Lastline — a cyber security company and breach detection platform provider — told IBTimes.

hacking
British lawmakers passed a new surveillance law to give security agencies more extensive monitoring capabilities in the digital age, June 7, 2016. REUTERS/Kacper Pempel

“A number of sensitive documents were stolen by the attackers during the incident and we believe APT15 was targeting information related to U.K. government departments and military technology,” NCC Group security experts said in a blog.

Although it is unclear how the hackers managed to gain access to the target’s systems, for this particular attack, APT15 used two new backdoors called RoyalCli and RoyalDNS. Once the infiltration was completed, the hackers then dropped additional payloads, including a network scanning/enumeration tool and a data-dumping tool called “spwebmember.”

“APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets. This allowed the group to persist in the victim's network in the event of remediation actions being undertaken, such as a password reset,” the researchers added.

NCC Group researchers said that despite being booted off the infected system, APT15 hackers managed to gain access to the victim’s systems for a second time after a few weeks, by making use of new malware. In other words, the hackers were persistent about remaining ensconced in the victim’s systems.

APT15 is not a new threat actor in the cyberespionage block. A previous report by Palo Alto Networks highlighted how the hackers targeted Indian embassies across the world in 2016. According to yet another report by FireEye, the hacker group is believed to have been active since 2010 and has targeted various foreign government ministries. The cyberespionage group is known to target the aerospace, energy, government, technology and the chemicals/manufacturing/mining sectors.