Palo Alto Networks’ threat intelligence arm Unit 42 has released a report detailing the movements of PKPLUG, a previously unnamed Chinese nation-state adversary which has been conducting cyber-espionage attacks primarily across the Asia.

The group has been active since 2013, using a mix of publicly available and custom malware families to track and gather information on victims. Some of the more well-known are Poison Ivy, PlugX and Zupdax; some are less well-known, such as 9002, HenBox and Farseer

Key findings of the report include: 

  • Broad reach in Asia: PKPLUG targets various countries or provinces in and around the Southeast Asia region for multiple possible reasons as mentioned above, including some countries that are members of ASEAN, some regions that are autonomous to China, some countries and regions somewhat involved with China’s Belt and bRoad Initiative, and finally, some countries that are embroiled in ownership claims over the South China Sea. Countries affected include Taiwan and ASEAN members Myanmar, Vietnam, and Indonesia. Other areas targeted include Mongolia, Tibet and Xinjiang.
  • Cyber-espionage tactics: While the true objectives of PKPLUG are unclear, the installation of backdoors suggests tracking victims and gathering information as key goals. This is done via Trojan implants on victim systems, including Android mobile devices, given that smartphones and mobile devices are the dominant form of internet access in these regions.
  • Persistent adversary: Unit 42’s tracking shows the group(s) mostly use custom malware families. This attack vector makes defending and detecting the attacks more difficult for victims. The long history and series of custom tools imply that the group(s) is persistent by nature and well-resourced. Apart from deploying malware, the attackers took to delivering spear-phishing emails through social engineering tactics to lure their victims into opening attachments. 

The full report is available here.