Cyber Espionage Suspected in South American Diplomatic Attacks
On Monday, Microsoft announced it has linked a China-based cyber espionage group to a series of attacks targeting diplomatic organizations in South America. The tech conglomerate’s Security Intelligence team is closely monitoring this group under the identifier DEV-0147. They characterized the recent activities as an extension of the group’s data extraction efforts, which have predominantly focused on government agencies and think tanks in Asia and Europe.
DEV-0147 is employing sophisticated hacking tools, notably ShadowPad, to conduct its operations. ShadowPad, often referred to as PoisonPlug, is a successor to the PlugX remote access trojan and has been widely utilized by Chinese state-sponsored hacker groups with ties to the Ministry of State Security (MSS) and the People’s Liberation Army (PLA). This malware allows for not only infiltration but also the sustained access needed to execute more complex operations within compromised networks.
Adding to its arsenal, DEV-0147 also utilizes a webpack loader named QuasarLoader. This tool facilitates the deployment of additional malicious payloads onto infected systems, indicating a layered approach to their cyber operations. While Microsoft did not disclose the specific methods employed by DEV-0147 for initial access, it is likely that they used phishing or exploited vulnerabilities in unpatched software applications—common tactics in modern cyber attacks.
The group’s activities in South America have involved significant post-exploitation maneuvers, including the misuse of on-premises identity management systems to gather intelligence and execute lateral movement across networks. The utilization of tools like Cobalt Strike further indicates a structured and methodical approach to command-and-control operations and data exfiltration.
DEV-0147 is not an isolated entity; it is part of a broader trend among Chinese advanced persistent threat (APT) groups leveraging ShadowPad. For instance, in September 2022, a separate incident revealed a targeted attack aimed at an undisclosed organization that exploited a critical vulnerability in WSO2 to deploy web shells, leading to the eventual deployment of ShadowPad for data collection purposes.
Moreover, ShadowPad has recently been linked to attacks against an ASEAN member nation’s foreign ministry, where threat actors successfully exploited vulnerabilities in Internet-connected infrastructure to gain access. Similar tactics, as observed in the REF2924 intrusion set associated with state-sponsored groups like Winnti and ChamelGang, suggest a strategic alignment with national interests.
The ongoing utilization of ShadowPad by these hacking collectives underscores the effectiveness of this malware, even as it becomes increasingly recognized and documented within cybersecurity circles. This persistence raises concerns about the depth of access and operational capabilities that these groups maintain against various entities worldwide.
Business owners and technology professionals should remain vigilant, as the evolving techniques employed by groups like DEV-0147 highlight the sophisticated threats present in the contemporary cybersecurity landscape. By understanding the tactics outlined in the MITRE ATT&CK framework—such as initial access and persistence—organizations can better prepare their defenses against such evolving threats.
