Chinese Aligned Hacking Group Ramps Up in Europe


Cybersecurity researchers at Proofpoint have just released new threat intelligence identifying that a Chinese-state-aligned hacking group has been ramping up its targeting of diplomatic entities in Europe as the war in Ukraine has intensified, using malicious email campaigns to deliver malware.

  • The threat actor in question, TA416 (AKA RedDelta), is known to be aligned with the Chinese state and has been targeting Europe for several years. Proofpoint has been tracking this actor since 2020 however the tempo of the attacks has increased sharply since Russian troops began massing on the Ukraine border.
  • Most recently, TA416 began using a compromised email address of a diplomat from a European NATO country to target a different country’s diplomatic offices. The targeted individual worked in refugee and migrant services.
  • TA416’s campaigns have utilised web bugs to profile their targets before dropping the malware. These indicate to the attacker that the targeted account is valid with the victim being inclined to open emails that utilise social engineering content. This suggests more discerning targeting from TA416 and may be an attempt to avoid having their malicious tools discovered and publicly disclosed.
  • The targeted campaigns include malicious links and decoy documents related to the border movements of Ukrainian refugees, with the aim of delivering a malware called PlugX to the victims. PlugX is a RAT (Remote Access Trojan) which when installed, can be used to fully control the victim’s machine.

Proofpoint researchers commented: “The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs. This may be an attempt by TA416 to avoid having their malicious tools discovered and publicly disclosed. By narrowing the lens of targeting from broad phishing campaigns to focus on targets that have proven to be active and willing to open emails, TA416 increases its chance of success when following up with malicious malware payloads”.