In February 2023, explorers Eset discovered a cyber attack targeting a government institution in Guyana, a small state in South America. The attack, known as “Jacan Operation,” utilized the phishing method and involved the deployment of a previously unknown C++ backdoor named Dinodasrat.
Eset, a Slovak company, believes that the hackers responsible for the attack are an apt-group of Chinese origin. This conclusion was drawn based on the use of the Trojan Plugx, commonly associated with Chinese cybercriminals.
The attack chain started with a phishing email sent to the target address. The emails had various themes, but they all aimed to deceive their recipients. One of the emails highlighted a supposed “Guyanese fugitive in Vietnam” and contained a link to the compromised Vietnamese government site “fta.moit.gov [.] Vn.”
Clicking on the link led to the download of a ZIP archive disguised as a Microsoft Word document. However, the archive contained an executable EXE-file that infected the victim’s computer with Dinodasrat and compromised the target network.
Dinodasrat, apart from encrypting transmitted information using the Tiny Encryption Algorithm (TeA), has the ability to extract metadata, manipulate Windows registry, and execute remote commands. The attackers also deployed tools like the Trojan Plugx and the Softometer VPN client for lateral movement within the victim’s network.
Microsoft has been monitoring these cybercriminals, who go by the name Flax Typhoon, due to their use of the Softometer VPN client. ESET researcher Fernando Tavella commented, “Based on the phishing emails used to gain initial access, we can safely say that the hackers monitor the geopolitical activity of their victims to increase the probability of success.”
This attack serves as a reminder that even smaller countries like Guyana can become targets of sophisticated cyber operations by foreign powers. To safeguard against such attacks, investing in reliable cybersecurity systems and providing staff training is crucial.