Shipping companies, medical laboratories in Asia targeted in espionage campaign

Several shipping companies and medical laboratories in an unspecified Asian country have been targeted in an ongoing espionage campaign that began in October, according to researchers from from Symantec.

The hackers behind the campaign — which the researchers named Hydrochasma — have no ties to any group Symantec has researched before. 

The company is not publicly identifying the target nation, Brigid O Gorman, senior intelligence analyst with the Symantec Threat Hunter Team, told The Record.

The researchers do not know where Hydrochasma is based, but O Gorman said the group has specifically gone after companies related to COVID-19 treatments and vaccines. 

“The actors did not use any custom malware, relying exclusively and extensively on publicly available and living-off-the-land tools,” she said. Using those tactics "can help make an attack stealthier, while also making attribution more difficult."

In its report, Symantec explained that the most likely motivation behind the campaign is intelligence gathering and potentially data exfiltration. 

The initial infection likely began with a phishing email because researchers found two lure documents in a victim organization’s native language related to shipping information, as well as an engineering resume. 

From those malicious files on one machine, the hackers were able to deploy several tools that allowed them to move around the victim’s network and expose local servers so that they could be taken over. 

Researchers found dozens of tools on the network that allowed for scanning, data exfiltration, remote connections and more.

“The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks,” the researchers said. 

“While Symantec researchers didn’t observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data," the researchers said. "The sectors targeted also point towards the motivation behind this attack being intelligence gathering.”