China’s APT41 Group Exploits Open-Source Red Teaming Tool GC2
China-linked APT group HOODOO, also known as APT41, has once again demonstrated its use of publicly available tooling in a recent cyberattack against a Taiwanese media organization. The group used an open-source red teaming tool called Google Command and Control (GC2) to conduct the attack. Google’s Threat Analysis Group (TAG) team discovered the attack in October 2022 and reported it to the targeted organization. This attack highlights the growing trend of Chinese APT groups using publicly available tooling and the proliferation of tools written in the Go programming language.
GC2 is a tool that is written in the Go programming language, and it is designed to get commands from Google Sheets and exfiltrate data to Google Drive. Upon installation of the malware, it queries Google Sheets to obtain attacker commands and allows operators to download additional files from Drive onto the victim system. This tool has previously been used by APT41 in a July 2022 attack against an Italian job search website, as reported by Google TAG experts. The use of publicly available tooling confuses attribution efforts, making it more difficult to determine who is behind an attack.
The use of the Go programming language is another trend that has been noted by researchers. The flexibility of the Go language and its convenience for adding and removing module components make it an attractive option for cyber attackers. As a result, the use of malware and tools written in the Go programming language has continued to expand.
The attack against the Taiwanese media organization highlights the continued overlap of public sector threat actors targeting private sector organizations with limited government ties. This targeting of private sector organizations is concerning and highlights the importance of improving enterprise defences, particularly in cloud services, which are becoming a privileged target for nation-state actors.
According to a Google research, cloud providers are useful targets for these types of operations, either as hosts for malware or as command-and-control (C2) infrastructure.
Account takeover is the most common type of attack against networks and cloud instances. This is why the report also includes mitigations for organizations to implement to improve their defences against cyber-attacks. These mitigations include implementing multi-factor authentication, regularly reviewing access controls, and limiting the number of service accounts with wide-ranging permissions.
The attack against the Taiwanese media organization serves as a reminder that organizations must remain vigilant and implement effective cybersecurity measures to protect against cyber-attacks. It is crucial for organizations to keep up to date with the latest trends in cyber-attacks and implement appropriate defences. Failure to do so could result in significant financial losses, reputational damage, and regulatory fines.
Furthermore, the attack also highlights the need for increased international cooperation in the fight against cyber-attacks. Cyber-attacks are a global issue that requires a coordinated effort from governments, international organizations, and the private sector to address. This cooperation should include information sharing, joint exercises, and the development of international norms and standards for cybersecurity.
The use of GC2 by China-linked APT group HOODOO in an attack against a Taiwanese media organization highlights the growing trend of Chinese APT groups using publicly available tooling and the proliferation of tools written in the Go programming language. It also highlights the continued targeting of private sector organizations by public sector threat actors and the importance of improving enterprise defences, particularly in cloud services. Organizations must remain vigilant and implement appropriate cybersecurity measures to protect against cyber-attacks, and international cooperation is crucial in the fight against cyber-attacks. By working together, we can create a safer and more secure digital environment for all.
Author: Manjushree Gavitre