Google’s Threat Analysis Group (TAG) says China’s People’s Liberation Army (PLA) and other Chinese intelligence agencies are trying to get more information about the ongoing Russian war in Ukraine.
Google TAG security engineer Billy Leonard said Google notified Ukrainian government organizations targeted by a Chinese-sponsored hacking group.
“Over the past few weeks, Google TAG has identified a CN government-backed actor targeting Ukrainian government organizations, and we have provided notifications to affected parties,” Leonard said. noted.
“While our priority is to provide notices to affected parties, we have provided related IOCs to community partners, and will release more details for the security community in the near future.”
Band leader Shane Huntley also confirmed Leonard’s assessment, saying that “the war in Ukraine is not only attracting the interest of European threat actors. China is working hard here too”.
This lines up with claims by Intrusion Truth, a secretive group known for its work exposing suspected Chinese hacking operations, saying on Tuesday it was aware of Chinese threats targeting Ukraine, likely at the behest of the Chinese government. .
Intrusion Truth has also asked infosec experts to share any indicators or samples related to malicious Chinese activity in Ukraine through public or anonymous channels.
I’m guessing it’s cyber espionage, which you’d expect, but it’s still not good. https://t.co/SeJWEYrWRv
— John Hultquist (@JohnHultquist) March 15, 2022
Chinese hackers also target Europe
Google TAG’s report on ongoing Chinese cyber operations in Ukraine follows another warning issued a week ago about a China-backed hacking group tracked as APT31 targeting Gmail users affiliated with the US government.
A day earlier, Google security analysts revealed that Russians and Belarusians had targeted Ukrainian and European government and military organizations in widespread phishing and DDoS attacks.
“Over the past 12 months, TAG has issued hundreds of government-backed attack warnings to users in Ukraine, alerting them that they have been the target of a government-backed hack, emanating from largely from Russia,” said Shane Huntley, head of TAG at Google.
Google added that China-backed hacking group Mustang Panda (aka Temp.Hex and TA416) has also gone on phishing attacks against European organizations using decoys linked to the invasion of Ukraine.
On the same day, Proofpoint revealed that it had detected Mustang Panda phishing “of European diplomatic entities, including someone involved in refugee and migrant services.”