Researchers from Palo Alto Networks have uncovered a cyberespionage campaign linked to a group with ties to China, which has been actively targeting foreign ministries, embassies, and military communications through breaches of Microsoft Exchange email servers.
Identified as Phantom Taurus, this group has been under surveillance for nearly three years. Investigators report that these hackers have successfully infiltrated Exchange systems, primarily focusing on communications associated with embassies, military activities, and diplomatic engagements.
Unit 42, a division within Palo Alto Networks, connects Phantom Taurus with state-sponsored hacking entities from China, highlighting parallels in infrastructure with notable groups such as Mustang Panda and Winnti.
Targeting Diplomats for Sensitive Data
Further analysis by Unit 42 indicates that Phantom Taurus heavily concentrates its efforts on foreign affairs ministries, embassies, and organizations possessing access to crucial defense and geopolitical intelligence. Many of the recorded breaches coincided with significant global events or pivotal military developments in targeted regions.
The group has sought to gather intelligence from areas like Afghanistan, Pakistan, and various Middle Eastern countries, all of which remain strategically significant to Beijing’s interests. While specific governments impacted by the campaign have not been disclosed, the ongoing operations reflect a sustained espionage strategy aimed at high-value targets.
Different Tactics
Palo Alto Networks researchers note that Phantom Taurus employs unique tactics, setting it apart from other Advanced Persistent Threat (APT) groups associated with China. This group utilizes custom-developed tools and methodologies that enhance their ability to maintain a low profile for extended periods.
Phantom Taurus exhibits a notable agility in its operational tactics, quickly adapting to circumstances, which complicates ongoing monitoring by cybersecurity experts. Their primary objective is to secure stealthy access to sensitive systems over extended durations, sometimes spanning months, while continuously gathering intelligence.
In their technical analysis, Palo Alto also revealed the group’s recent shift toward direct database collection in addition to their ongoing targeting of Exchange servers. Researchers have identified the use of tailored scripts capable of connecting to SQL databases, executing dynamic queries, and exporting data results.
NET-STAR Malware
Unit 42 has also discovered a previously unrecognized malware suite known as NET-STAR, designed specifically to compromise Microsoft Internet Information Services (IIS) servers. This malware employs a fileless backdoor named IIServerCore and utilizes memory-resident loaders that execute directly within the IIS process, ensuring that their activity remains undetected by traditional security measures that analyze disk activity.
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, highlights the challenges defenders face in light of operations like these. He points out that intelligence-gathering operations have different priorities compared to standard security teams focused on rapid intrusion removal. Intelligence teams often opt to observe an attacker to gain deeper insights into their objectives, techniques, and tools, which can sometimes lead to prolonged monitoring at the request of law enforcement or governmental entities.
