Patchwork Hackers Target Chinese Research Institutions with EyeShell Backdoor
On July 31, 2023, cybersecurity analysts from the KnownSec 404 Team reported that cyber espionage threats linked to a group known as Patchwork have been actively targeting universities and research organizations across China. This campaign is marked by the deployment of a sophisticated backdoor identified as EyeShell, which underscores the growing sophistication of digital threats aimed at research entities.
Patchwork, also recognized by alternate names such as Operation Hangover and Zinc Emerson, is suspected to operate under the auspices of Indian interests. The group has been active since at least December 2015, employing narrow yet focused attack strategies primarily directed at Pakistan and China. This targeting is often accomplished through tailored malware, such as the known BADNEWS implant, delivered via methods like spear-phishing and watering hole attacks.
The group’s modus operandi reveals a distinct pattern of utilizing customized implants to compromise their chosen targets. The collaboration of tactical approaches with other Indian-associated cyber-espionage entities, such as SideWinder and the DoNot Team, further emphasizes the strategic coordination of these threat actors in advancing their espionage goals.
In a separate but related incident earlier this May, Meta took measures to dismantle 50 social media accounts on Facebook and Instagram that were reportedly operated by Patchwork. These accounts manipulated messaging apps that were inadvertently uploaded to the platforms, illustrating a common tactic within the group’s operational playbook.
In analyzing their latest campaign, it is crucial to consider the tactics and techniques employed within the framework of the MITRE ATT&CK Matrix. Initial access may have been achieved through phishing techniques, wherein malicious links or attachments trick users into compromising their own systems. The persistence of malware like EyeShell indicates that methods of establishing long-term footholds within targeted networks were effectively utilized, thereby allowing unauthorized access over an extended duration.
Privilege escalation may have also played a role, enabling attackers to gain higher levels of access and control over critical systems and sensitive data. The use of watering hole attacks suggests a strategic selection of compromised sites frequented by the intended targets, further enhancing their chances of incursion.
As cyber threats continue to evolve, understanding the techniques and tactics utilized by groups like Patchwork is essential for business owners and cybersecurity professionals alike. Keeping abreast of these developments is vital for enhancing the security posture of organizations, particularly those engaged in research that may attract such espionage activities.
