Google Warns of Chinese State Actor Hack in Real-Time Following Alerts

Google has issued a warning about a sophisticated hacking attack targeting users in real-time, attributed to a group known as UNC6384, a Chinese state-sponsored actor. The company's cybersecurity arm, the Google Threat Intelligence Group (GTIG), published a new blog outlining how it detected "evidence of a captive portal hijack being used to deliver malware disguised as an Adobe Plugin update to targeted entities." This campaign is the latest in a series of cyber-attacks attributed to China, highlighting the country's ongoing efforts to conduct state-sponsored hacking operations against its adversaries in the West.

The attack, according to Google, targeted diplomats in Southeast Asia, as well as other entities around the world. A captive portal is essentially a login page that appears on public networks, such as airports or coffee shops, after connecting to the network but before gaining access to the public internet. In this case, the attackers compromised edge devices on those target networks, including routers, firewalls, VPN gateways, and other similar infrastructure. They then used these compromised devices to hijack the portals and redirect visitors to a malicious landing page.

Visitors were then prompted to download a "security update" for Adobe, which was actually malware. The initial payload, an MSI package, installed stage-two malware including CANONSTAGER and SOGU.SEC. The latter is a backdoor that connects to the attacker-controlled C2 server and grants unabated access to the target computer. Google first observed this attack in March this year and sent out alerts to Gmail and Workspace users.

Google's detection of this attack highlights the company's continued efforts to monitor and respond to emerging threats. The incident also underscores the importance of cybersecurity awareness and vigilance, particularly for organizations and individuals with critical infrastructure or sensitive data.

The Chinese government has long denied involvement in cyber-warfare against its adversaries in the West, instead accusing the US of being the biggest cyber-bully. However, evidence of state-sponsored hacking operations like this latest attack by UNC6384 suggests that China's role in these activities cannot be ignored.

In recent years, we have seen a significant increase in state-sponsored hacking campaigns targeting government, critical infrastructure, and telco organizations in the West. These attacks often involve sophisticated malware and tactics, such as using compromised edge devices to hijack public networks and deliver malicious payloads to unsuspecting users.

As cybersecurity threats continue to evolve, it is essential for individuals and organizations to remain vigilant and take proactive steps to protect themselves. This includes keeping software up-to-date, using strong passwords, and being cautious when clicking on links or downloading attachments from unknown sources.

By staying informed about emerging threats like this latest attack by UNC6384, we can better understand the tactics and techniques used by state-sponsored hackers and develop effective strategies to counter them. As the threat landscape continues to shift, it is more important than ever for us to stay ahead of the curve and protect ourselves against these types of sophisticated cyber-attacks.