Recent reports indicate that shipping companies and medical laboratories across Asia have become targets of a sophisticated espionage initiative attributed to a previously unidentified threat actor called Hydrochasma. This activity has been under investigation since October 2022, revealing a pattern of operations that relies solely on readily available public tools and methodologies.
According to Symantec, a division of Broadcom Software, the actors behind Hydrochasma are primarily focused on sectors related to COVID-19 treatments and vaccine distribution. While the exact origins of this threat group and its affiliations with other known entities remain unclear, their approach raises significant cybersecurity concerns.
A notable characteristic of this campaign is its reliance on open-source tools, allowing the attackers to operate without the need for bespoke malware or data exfiltration techniques. This stealthy nature serves to obfuscate their actions and complicates attribution efforts, which may provide them with an operational advantage.
The initial breach vector appears to be phishing, with messages crafted to entice recipients into launching a document disguised as a resume, subsequently granting access to the target system. Once inside, Hydrochasma has employed various tools, including Fast Reverse Proxy (FRP), Meterpreter, Cobalt Strike Beacon, Fscan, BrowserGhost, and the Gost proxy. Each of these tools aids in establishing persistent and covert access to compromised networks.
Cybersecurity experts highlight the significance of these tools in allowing Hydrochasma to further escalate privileges within the victim’s network and implement lateral movement tactics. The use of tools like FRP aligns with a recognized trend among threat groups, as documented by Positive Technologies, which previously exposed the tool’s utilization by actors like ChamelGang for similar nefarious purposes.
Furthermore, in September 2022, an investigation by AhnLab Security Emergency Response Center (ASEC) unveiled attacks leveraging FRP to clandestinely manage compromised systems within South Korean enterprises, demonstrating a broader pattern of operational sophistication among current threat actors.
Notably, Hydrochasma is not an isolated case; there has been a rising trend among cybercriminal groups to forgo custom malware. A case in point is the OPERA1ER group, which similarly employs dual-use tools and living-off-the-land strategies, targeting various nations, including those in the Francophone regions of Africa.
This evolving landscape of cyber threats serves as a stark reminder of the vulnerabilities inherent in modern digital operations, particularly for industries engaged in sensitive health-related activities. Understanding the tactics deployed by adversaries, such as those outlined in the MITRE ATT&CK framework—covering areas like initial access, persistence, and privilege escalation—will be crucial for businesses looking to enhance their cybersecurity posture.
