17 Feb 2023 | Asia Cyber Summary

In the spotlight this week:

• Chinese Tonto Team Hackers' Second Attempt to Target Cyber Security Firm Group-IB Fails
• New Malware Campaign Targets Chinese Speakers via ‘Sponsored’ Google Ads
• Hyundai, Kia Patch Bug Allowing Car Thefts With a USB Cable
• India-Linked Group Used Telegram To Mastermind Cyber Attacks Across Asia
• Australian Government Sees 47 Mandatory Cyber Incident Reports in Nine Months

‍‍

Chinese Tonto Team Hackers' Second Attempt to Target Cyber Security Firm Group-IB Fails

In June 2022, the advanced persistent threat (APT) actor Tonto Team launched an unsuccessful attack against the Singapore-headquartered cyber security firm Group-IB. The firm said that it detected and blocked malicious phishing emails originating from the group targeting its employees. This attack follows one in March 2021 that was also directed at Group-IB. Tonto Team, also known as Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, is a rumored Chinese hacker organization that has been connected to attacks against a variety of targets in Asia and Eastern Europe. The threat group is said to have connections to the Third Department (3PLA) of the Shenyang TRB (Unit 65016) of the People's Liberation Army and has been active since at least 2009.

‍New Malware Campaign Targets Chinese Speakers via ‘Sponsored’ Google Ads

Security researchers have uncovered a new malware campaign that has been targeting Chinese speakers throughout east and south-east Asia. The unidentified threat actors distributed Chinese versions of legal software along with installers that could infect a victim's device with a remote access trojan. Although Thailand, Malaysia, and Singapore were also affected, China, Taiwan, and Hong Kong saw the majority of attacks. The campaign’s success was attributed to specially designed advertisements that led to copycat sites of popular applications that generally occupied sponsored ads in Google searches. Some examples include applications like Chrome, Firefox, and Telegram, which are not available in China. 

‍Hyundai, Kia Patch Bug Allowing Car Thefts With a USB Cable

Hyundai and KIA are releasing an emergency software update for a number of their vehicle models that are vulnerable to a simple hack that makes it possible to steal them. "In response to increasing thefts targeting its vehicles without push-button ignitions and immobilizing anti-theft devices in the United States, Hyundai is introducing a free anti-theft software upgrade to prevent the vehicles from starting during a method of theft popularized on TikTok and other social media channels," reads Hyundai's announcement. Since July 2022, the car hack has been widely publicized on TikTok as a "challenge," with videos demonstrating how to remove the steering column cover to expose a USB-A slot that can be used to hotwire the vehicle.

‍India-Linked Group Used Telegram To Mastermind Cyber Attacks Across Asia‍

Indian nationalist threat actor group SideWinder, also known as Hardcore Nationalist (HN2), has been tracked by cyber security watchdogs for going after more than 60 organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka. Nearly half of all attacks were directed at targets in Nepal, which shares a land border with India. Government agencies were by far the most heavily targeted, with 44 being singled out, compared to just four military organizations. SideWinder processes data from compromised systems using the well-known messaging app Telegram.

‍Australian Government Sees 47 Mandatory Cyber Incident Reports in Nine Months

The Australian government’s Cyber and Infrastructure Security Centre (CISC) fielded 47 cyber incident reports from critical infrastructure providers, in the first nine months of the mandatory reporting of information security incidents. These mandatory measures affect 11 critical infrastructure sectors, which then have between 12 and 72 hours to lodge a mandatory incident report, depending on the severity. Further systems of national significance may be declared in the future. A consultation on the expansion of the list is due at the end of this month.