Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack | CyberScoop<\/title> <meta name=\"description\" content=\"The unknown and unattributed hackers compromised legitimate software in apparent focused attack, researchers said.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/hacking-group-hong-kong-supply-chain-cyberattack\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack\"> <meta property=\"og:description\" content=\"The unknown and unattributed hackers compromised legitimate software in apparent focused attack, researchers said.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/hacking-group-hong-kong-supply-chain-cyberattack\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-08-22T10:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2023-08-22T13:14:50+00:00\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1691523982g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1692696474g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1692820872g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=008d053dcbaaeb47b822\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/76516\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=76516\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhacking-group-hong-kong-supply-chain-cyberattack%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhacking-group-hong-kong-supply-chain-cyberattack%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-76516 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/hacking-group-hong-kong-supply-chain-cyberattack\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.307210031348\">\n<div class=\"single-article__header-content\" readability=\"31.258064516129\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> The unknown and unattributed hackers compromised legitimate software in apparent focused attack, researchers said. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Skyscrapers at night, Hong Kong skyline. (Kanok Sulaiman\/Getty Images)\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/08\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Skyscrapers at night, Hong Kong skyline. (Kanok Sulaiman\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"35.500279485746\"><body readability=\"70.904510837727\"><\/p>\n<p>A previously unknown hacking campaign targeted file protection, encryption and decryption software as part of a supply chain attack on unnamed targets in Hong Kong and other regions of Asia, according to an <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/carderbee-software-supply-chain-certificate-abuse\">analysis published Tuesday<\/a>. <\/p>\n<p>Researchers with the Symantec Threat Hunter Team, part of Broadcom, dubbed the unknown actors behind the campaign \u201cCarderbee\u201d and said the group compromised a Cobra DocGuard software update file with the goal of deploying the Korplug backdoor (also known as PlugX), a widely used piece of malware. <\/p>\n<p>The malware was signed with a legitimate Microsoft certificate, the researchers noted, which can make it much harder for security software to detect. <\/p>\n<p>The campaign, which started in April 2023, was detected on roughly 100 computers across multiple organizations. Given that the Cobra DocGuard software \u2014 produced by the China-based EsafeNet, which itself is owned by the Chinese information security firm NSFOCUS \u2014 is only installed on roughly 2,000 computers, the \u201cattacker may be selectively pushing payloads to specific victims,\u201d the researchers said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The campaign is just the latest example of a successful supply chain attack. In March, hackers with suspected links to North Korea <a href=\"https:\/\/cyberscoop.com\/3cx-supply-chain-north-korea\/\">successfully compromised<\/a> the X_Trader financial trading software which led to a second successful attack on the 3CX video and online communications platform. In May, the ransomware syndicate CL0P compromised the MOVEit file sharing service, leading to data exfiltration from more than 600 organizations worldwide and data associated with tens of millions of people, according to <a href=\"https:\/\/www.reuters.com\/technology\/moveit-hack-spawned-around-600-breaches-isnt-done-yet-cyber-analysts-2023-08-08\/\">a Reuters analysis<\/a>. <\/p>\n<p>Originally limited to Chinese-related hacking campaigns, PlugX is now widespread enough that conclusive attribution is not possible, the researchers said. Nevertheless, Cobra DocGuard update files were compromised to target a Hong Kong-based gambling company in September 2022, <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/01\/eset_apt_activity_report_t32022.pdf\">according to ESET<\/a>, by a Chinese-linked hacking effort tracked as LuckyMouse (<a href=\"https:\/\/attack.mitre.org\/groups\/G0027\/\">also known as<\/a> APT27, Emissary Panda and Bronze Union). That campaign also delivered a variant of the Korplug malware.<\/p>\n<p>The similar tactics, techniques and procedures hint at a Chinese connection, even if full attribution isn\u2019t yet possible. \u201cThe Korplug back door is usually used by China-linked APT groups,\u201d said Brigid O. Gorman, a senior intelligence analyst with Symantec. \u201cIn addition to this, the targeting is in line with what we\u2019ve seen from China-linked groups in the past. As stated in the blog there are also some similarities between this activity and previous activity carried out by the Budworm (aka APT27) group.\u201d<\/p>\n<p>Gorman declined to elaborate on the victims in this particular campaign, but noted that although there were some victims throughout south and southeast Asia, \u201cit appears organizations in Hong Kong were the main targets in this campaign.\u201d<\/p>\n<p>The attackers in this case \u201care patient and skilled actors,\u201d the report\u2019s authors conclude, leveraging \u201cboth a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar.\u201d And although there are open questions about the group \u2014 including a more complete picture of the sectors targeted in the campaign and links to established Chinese hacking efforts \u2014 the case is a reminder that \u201csoftware supply chain attacks remain a major issue for organizations in all sectors.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.5\">\n<div class=\"author-card\" readability=\"8\">\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/hacking-group-hong-kong-supply-chain-cyberattack\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Previously unknown hacking group targets Hong Kong organizations in supply<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[302,288],"tags":[306,294],"class_list":["post-1618","post","type-post","status-publish","format-standard","hentry","category-geopolitics","category-threats","tag-geopolitics","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1618"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1618\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":1618,"date":"2023-08-22T10:00:00","date_gmt":"2023-08-22T10:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=76516"},"modified":"2023-08-22T10:00:00","modified_gmt":"2023-08-22T10:00:00","slug":"previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/08\/22\/previously-unknown-hacking-group-targets-hong-kong-organizations-in-supply-chain-cyberattack\/","title":{"rendered":"Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack"},"content":{"rendered":"