2 years after the last appearance, the Chinese hacker group GhosteMperor has once again declared itself. Targeting telecommunication and state structures in Southeast Asia, GhosteMperor is known for its sophisticated attacks on supply chains and has significantly improved its methods of evasion. This information was reported by Sygnia in a recent report.
Sygnia uncovered GhosteMperor’s involvement in an incident at the end of last year, where the network of an undisclosed client was compromised and used as a staging ground for accessing another victim. The first revelation of GhosteMperor was made by Kaspersky Laboratory in 2021. Sygnia pointed out the mystery surrounding the lack of public reports on GhosteMperor during this period.
GhosteMperor’s Infection Chain
GhosteMperor is known for employing Kernel-Level Rootkit, which enables them to bypass detection from security systems, including EDR solutions. These tools are typically developed by state-sponsored groups due to the required resources. The Rootkit grants access to the core part of the computer’s operating system, making it challenging to detect using standard security measures.
The Demodex routine represents an updated version of their previous methods, with a more intricate and secretive infection chain attracting significant attention. This suggests that GhosteMperor continues to enhance their techniques to maintain maximum secrecy.
In 2021, Kaspersky Laboratory described GhosteMperor as highly skilled hackers who targeted significant entities in Malaysia, Thailand, Vietnam, and Indonesia. Additional victims were found in Egypt, Ethiopia, and Afghanistan, with some organizations in these countries having strong ties to Southeast Asia. It is possible that the hackers used the infections for espionage related to the geopolitical interests of the group.
An important aspect of the attack was the hackers targeting the networks of the client’s business partners after infiltrating the initial network. Sygnia hopes that the information they have provided will assist organizations in better preparing for potential threats. It is crucial to minimize the time the adversary spends undetected and to expedite the detection process. While achieving 100% security is unrealistic, organizations should develop strategies to prevent and mitigate risks.