Google's Threat Analysis Group (TAG) has unearthed a cyberespionage operation sponsored by the Chinese People's Liberation Army (PLA) and other Chinese intelligence agencies targeting Ukrainian government to gather information on the ongoing conflict.
Billy Leonard, a security engineer at Google TAG, said Google has informed that Ukrainian government agencies are targeted by China-sponsored hacking groups.
"Over the last few weeks Google TAG has identified a govt backed actor from CN targeting Ukrainian govt orgs, and we provided notifications to impacted parties," Billy Leonard said. “While our priority is providing notifications to impacted parties, we've provided related IOCs to community partners, and we will publish more details for the security community in the near future."
Group leader Shane Huntley also confirmed Leonard’s assessment, saying that “the Ukrainian war has not only attracted the attention of European threatening players, but China is working hard here too.”
Last week, the hacktivist collective group Intrusion Truth stated that the campaign was directly sponsored by the Chinese government. The group announced that it is sharing IOCs with community partners and plan to provide additional details on the ongoing attacks in the future.
Google TAG’s report on China’s ongoing cyber activity in Ukraine follows another warning issued a week ago regarding a Chinese-sponsored hacking group tracked as APT31 targeting Gmail users linked with the U.S. government.
A day ago, Google security researchers disclosed that Russia and Belarus targeted Ukrainian and European government and military organizations in extensive phishing and DDoS assaults.
"In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government-backed hacking, largely emanating from Russia," stated Shane Huntley.
Google also reported China-backed Mustang Panda cyberespionage group (also known as Temp.Hex and TA416) have also switched to phishing assaults on European entities using lures linked with the invasion of Ukraine.
In some attacks identified by Google, hackers employed malicious attachments with file names such as ‘Situation at the EU borders with Ukraine.zip’. On the same day, Proofpoint revealed that Mustang Panda was found phishing “European diplomatic organizations, including refugees and individuals involved in migrant services.”
