Three years in the making, the stealthy surveillance and cyber espionage may already have been deployed against other countries.

Attackers believed to be a threat group from China have been found to be targeting a Southeast Asian government by systematically sending weaponized documents impersonating other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs.

The ongoing surveillance operation was spotted by Check Point Research, which suspects that the purpose of the operation is espionage through the installation of a previously unknown backdoor into the Windows software running on personal computers of victims.

Efforts in avoiding detection

After the backdoor was installed, the attackers could collect nearly any information they wanted, as well as take screenshots and execute additional malware on a target’s personal computers. Investigations have revealed that the attackers had been testing and refining their Windows backdoor tool for at least the past three years.

  • Attackers began by sending weaponized documents, impersonating other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs
  • Attackers developed, tested and deployed a new cyber espionage weapon, specifically a Windows backdoor with the internal name “VictoryDll_x86.dll”, capable of collecting nearly any information the attackers want
  • The surveillance operation placed significant effort into avoiding detection by limiting its working hours and changing its infrastructure multiple times

Lotem Finkelstein, Head of Threat Intelligence at the firm, said that all the evidence points to a highly-organized operation that places significant effort into remaining under the radar. “Every few weeks, the attackers used spear-phishing emails, laced with weaponized versions of government-themed documents, to try and create a foothold into the Ministry of Foreign affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the said ministry. All in all, the attackers were very systematic in their approach.

Added Finkelstein: “This backdoor is far more intrusive and capable of collecting a vast amount of data from an infected computer. We learned that the attackers are not only interested in cold data, but also what is happening on target’s personal computer at any moment, resulting in live espionage. Although we were able to block the surveillance operation for the Southeast Asian government described, it’s possible that the threat group is using its new cyber espionage weapon on other targets around the world.”