Chinese APT Earth Krahang Compromises 48 Government Entities Globally

March 19, 2024

Earth Krahang, an advanced persistent threat (APT) group believed to be operating under the Chinese government, has breached 48 global government entities, according to Trend Micro. The group is thought to be linked to Earth Lusca, another hacking team within the Chinese company I-Soon. Recent leaks revealed that I-Soon is a private contractor associated with China's top policing agency, the Ministry of Public Security.

Earth Krahang has been primarily engaged in cyberespionage, compromising approximately 70 organizations in 23 countries, predominantly in Asia and America, but also in Europe and Africa. It has also targeted over 100 other entities across 35 countries. The victims include government bodies, foreign affairs ministries, and organizations in various sectors such as education, telecommunications, logistics, finance, healthcare, manufacturing, and the military.

Trend Micro reported that Earth Krahang was observed compromising government infrastructure to host malicious payloads, proxy traffic, and send spear-phishing emails to other government entities. The group leverages the trust between governments to conduct their attacks, often using compromised government web servers to host their backdoors and send download links to other government bodies via spear-phishing emails.

The APT group also establishes VPNs on compromised public-facing servers to access the victims' networks and harvest email credentials using brute-force attacks. Trend Micro was able to access the APT's servers and retrieve malware samples and configuration and log files due to operational errors made by the group.

The group uses open source tools to scan victims' web-facing servers, brute-forcing directories to gather sensitive information, and exploiting command execution vulnerabilities in OpenFire (CVE-2023-32315) and Oracle Web Applications Desktop Integrator (CVE-2022-21587). They send spear-phishing emails with attachments or embedded URLs leading to malware execution. In one instance, they used a compromised government email account to send a malicious attachment to about 800 accounts within the same organization.

After gaining initial access, the APT deploys the SoftEther VPN to connect to the victim environment, uses task scheduling to achieve persistence, enables remote desktop connections, scans the network, extracts credentials from memory dumps, moves laterally, and escalates privileges. To maintain access to the victim's systems, the threat actor deploys Cobalt Strike, as well as two custom backdoors named Reshell and XDealer. In some cases, Earth Krahang also deployed PlugX and ShadowPad variants on victim's systems.

Trend Micro's investigation into Earth Krahang revealed connections to other Chinese threat actors, including a strong link to Earth Lusca, due to overlaps in infrastructure and the preference of initial stage backdoors. Given that Earth Lusca has been found to be I-Soon's penetration team and recent leaks showed that the company's penetration team is organized in two different subgroups, Earth Krahang could be another penetration team under the same company.

Given the significance of Earth Krahang's targets and their preference for using compromised government email accounts, Trend Micro strongly recommends organizations to adhere to security best practices, including educating employees and other individuals involved with the organization on how to avoid social engineering attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.