Company Securonix revealed a large spy operation called “slowtempest”, aimed at people and organizations in China. The hackers sought to gain long-term access to spying and possible sabotage systems, as well as launch extortion attacks or steal data. Experts believe the main goal of the campaign was to establish long-term control over networks and carry out strategic tasks in line with state interests.
While researchers could not pinpoint the location of the attackers or determine their affiliation to any specific group, the sophisticated nature of the malware used and the tools employed for scanning and data theft suggest that government agencies or large businesses were the intended targets.
Securonix experts did not reveal the specific victims of the attack, but they noted that the phishing emails used in the campaign were written in Chinese, and the hackers’ infrastructure was hosted on servers belonging to the Chinese company Shenzhen Tencent Computer Systems. These factors, along with telemetry data, point to China being the main target of the attack.
Furthermore, the researchers observed that the attackers possessed a deep understanding of the Chinese language, infrastructure, and potential victim features. However, there is a possibility that the attack could have originated from other regions where Chinese is spoken, such as Taiwan, Singapore, or Hong Kong.
The study initially began with one incident, from which several other attacks were uncovered, indicating a larger number of victims. The campaign is still ongoing and differs from previous ones. The unique combination of tools and hacker methods suggests this is an independent operation, rather than a continuation of known campaigns.
The attacks started with the distribution of malicious ZIP files through phishing emails. The files were disguised as documents related to personnel matters, allowing the cybercriminals to evade antivirus detection. One such file, named “List of persons who violated the rules for using the software for remote control”, contained hidden backdoors that went unnoticed by security systems, enabling hackers to scan systems for data and extract accounting information from browsers.
Despite some mistakes made by the attackers, such as leaving a tool with the user name Guoyansong, believed to be a real Chinese name, Securonix suggests that the attack was carried out by a skilled individual who utilized advanced exploits like Cobaltstrike, along with a wide array of other post-operation tools, even though there is no concrete evidence linking the attack to any known threat group.