A cyber-espionage group historically believed to be operating in the interests of the Chinese government is believed to have hacked a UK government contractor from where security researchers found evidence that attackers stole information related to UK government departments and military technology.
Attackers used never-before-seen tools, old malware, but also employed legitimate apps found on the compromised systems in an attempt to remain undetected for as long as possible.
Security researchers from NCC Group, who investigated the hacks, said they kicked hackers off the victim's network once, but they regained access after a couple of weeks, even deploying new malware in the attack, in an attempt to prolong their stay.
The attackers have been identified by the codename of APT15. This codename describes a cyber-espionage outfit whose operations have been previously detailed in reports from other security vendors who used other names such as Ke3chang, Mirage, Vixen Panda GREF, and Playful Dragon [
1,
2,
3].
APT15 deploys two new backdoors —RoyalCLI and RoyalDNS
For the attacks on the UK government contractor, APT15 deployed two new backdoors, named RoyalCLI and RoyalDNS.
It is unclear how attackers gained access to the contractor's network, but once inside, the group deployed the RoyalCLI backdoor first, along with an older backdoor used in past attacks named BS2005.
....
....
....
