top of page

THREE SURVEILLANCE TOOLS LINKED TO RUSSIA'S GAMAREDON GROUP AND CHINESE PUBLIC SECURITY BUREAUS WERE DETECTED AND THE THAI GOVERNMENT IDENTIFIED A CYBER ESPIONAGE CAMPAIGN

December 12-18, 2024 | Issue 50 - CICYBER and PACOM

Chiara Cerisola, Martina Sclaverano, Mercedes Scheible, CICYBER

Alya Fathia Fitri, Editor; Angelina Sammarco, Senior Editor


Coding[1]


Date: December 12, 2024

Location: Global

Parties involved: Threat intelligence platform Lookout; Russian-based hacker group Gamaredon; Russian Federal Security Service (FSB); Chinese public security bureaus; Chinese surveillance entities; Chinese security company Wuhan Chinasoft Token Information Technology Co.; dissidents; vulnerable communities

The event: Lookout researchers identified three Android surveillance tools, BoneSpy and PlainGnome, linked to Russia's Gamaredon group, and EagleMsgSpy, connected to Chinese public security bureaus, which have been targeting dissidents and vulnerable communities for espionage since 2017.[2]

Analysis & Implications:

  • Russia and China will very likely continue developing and deploying mobile surveillance tools to target vulnerable communities, such as ethnic minorities, dissident groups, and high-value foreign institutions that challenge their politics and ideologies. Gamaredon and the FSB will very likely leverage their historical expertise in cyber operations and political suppression to refine BoneSpy and Plain Gnome by enhancing their capabilities to evade detection, improve persistence, and expand their data exfiltration functionalities. Wuhan Chinasoft Token Information Technology Co. will almost certainly continue advancing and widening the deployment of EagleMsgSpy by incorporating more sophisticated obfuscation techniques, improving its data collection capabilities, and targeting a broader range of devices and applications to enhance its effectiveness in espionage operations. The tools’ ability to collect extensive user data, including messages, call logs, and GPS locations, will very likely enable governments to monitor opposition activities, disrupt organizational cohesion, and preemptively suppress dissent.

  • BoneSpy, PlainGnome, and EagleMsgSpy will likely leverage advanced tactics, techniques, and procedures (TTPs) to achieve their espionage objectives, such as gathering sensitive intelligence on political dissidents, ethnic minorities, and foreign government operations, while delaying or avoiding detection. These TTPs will likely exploit unpatched vulnerabilities in the mobile operating systems targeted and analyzed since espionage operations began in 2017. All three tools will almost certainly employ anti-analysis features like encryption and obfuscation, very likely increasing caution and plausible deniability after their identification by Lookout. Gamaredon and Chinese surveillance entities will almost certainly continue executing broad surveillance activities, including location tracking, keylogging, and real-time monitoring of targets.


Date: December 14, 2024

Location: Thailand

Parties involved: Thailand; Thai government officials; Thailand’s geopolitical adversaries; threat actors; Southeast Asia; non-state affiliated groups; individual hackers; International criminal cooperation officials

The event: Thai government officials identified a cyber espionage campaign employing dynamic-link library (DLL) side-loading techniques to deploy a previously undocumented backdoor named Yokai, which facilitates unauthorized access and command execution on compromised systems.[3]

Analysis & Implications: 

  • The threat actor behind Yokai is very likely a state-sponsored group aimed at gathering sensitive intelligence and increasing its influence over Thailand’s geopolitical adversaries, particularly in Southeast Asia. The attacker will very likely operate under the directive of a nation-state, likely using cyber espionage to obtain diplomatic, legal, and strategic information that benefits its government’s foreign policy goals. There is a roughly even chance that non-state affiliated groups and individual hackers will exploit Yokai, very likely obtaining information on how to exploit it from accessible information on the dark web. These individuals will likely attempt to use this vulnerability for personal gain, very likely demanding ransom payments for compromised files or offering services for penetration testing.

  • The threat actor will likely continue exploiting DLL side-loading, spear-phishing campaigns, and decoy files as primary tactics to evade detection, establish persistence, and gain unauthorized access to target systems such as government and organizational networks handling sensitive diplomatic and operational data. The campaign’s reliance on DLL side-loading will very likely enable the attacker to bypass endpoint security tools, such as antivirus programs, host-based intrusion detection systems (HIDS), and endpoint detection and response (EDR) solutions, by executing malicious code through legitimate software, like the iTop Data Recovery executable, likely ensuring stealth and persistence. Once deployed, Yokai will very likely allow the attacker to maintain long-term access to compromised systems, execute remote commands, and extract sensitive data. These tactics will very likely remain effective due to their combination of social engineering with technical exploitation, which many government agencies lack the resources to detect or mitigate.

  • Thai government officials, especially those engaged in international law enforcement and diplomatic relations, will very likely remain key targets as the attacker likely seeks to undermine regional cooperation and gain access to sensitive communications. The attacker will very likely target international criminal cooperation officials to collect intelligence on cross-border investigations, shared law enforcement strategies, and foreign policy discussions. Focusing on diplomatic communications will very likely enable the threat actor to monitor sensitive negotiations, identify key players, and manipulate outcomes according to its geopolitical interests. Targeting Thailand will likely serve as a testbed for future campaigns against other Southeast Asian nations, likely expanding the group’s operational reach and increasing regional instability. Unlock the Power of Knowledge with The Counter Threat Center! Elevate your threat detection capabilities with critical intelligence on global threats. Join us for a free trial and equip yourself to safeguard those you've sworn to protect. Click here to learn more: https://www.counterthreatcenter.com/subscriptions

 

[1] Coding, generated by a third party database

[2] Lookout Discovers New Spyware Deployed by Russia and China, Inforsecurity Magazine, December 2024, https://www.infosecurity-magazine.com/news/lookout-new-spyware-russia-china/ 

[3] Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques, The Hacker News, December 2024, https://thehackernews.com/2024/12/thai-officials-targeted-in-yokai.html 

bottom of page