The recently outed advanced persistent threat actor Sandman appears linked to China, SentinelOne, Microsoft, and PwC say in a joint report.
The hacking group was brought into the spotlight at the LABScon security conference, standing out because of the sophisticated modular backdoor LuaDream, which has been built using the cross-platform programming language Lua.
Initial reporting drew attention to Sandman's targeting of telecom providers in the Middle East, Europe, and South Asia, likely for cyberespionage purposes, but did not link the activity to any known APTs.
The joint report draws links between the observed Sandman APT attacks and the activity of STORM-0866/Red Dev 40, a suspected China-based threat actor known to be using the KeyPlug backdoor.
KeyPlug was initially detailed in March 2022 after being used by the Chinese state-sponsored group APT41 in attacks against a US government entity.
LuaDream and KeyPlug have been observed on the same victim environments, and even on the same endpoints.
In one attack, KeyPlug was deployed in May 2023, followed by LuaDream three months later, and both remained active simultaneously for roughly two weeks.
The investigation into these threats revealed overlaps in functionality and design, pointing to shared functional requirements and indicating potential shared development and infrastructure control and management practices.
The security researchers were able to link the APTs through the use of digital certificates, IPs, cloud-based reverse proxy infrastructure, hosting providers, and domain naming conventions.
A comparison between KeyPlug and LuaDream has revealed the use of identical encrypting keys, similar high execution flaws, and direct overlaps in implementation, such as the support for the same protocols for command-and-control communication.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 12 Dec 2023 14:13:10 +0000