This week, Microsoft announced it had recently removed 18 Azure Active Directory apps that were being abused by GADOLINIUM, a China-linked state-sponsored threat actor.
The adversary, also known as APT40, TEMP.Periscope, TEMP.Jumper, Leviathan, BRONZE MOHAWK, and Kryptonite Panda, has been active since at least 2013, primarily supporting Chinese naval modernization efforts by targeting various engineering and maritime entities, including a U.K.-based company.
In attacks using spear-phishing emails with malicious attachments, the threat actor has recently been detected using Azure cloud resources and open source software.
“Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks as these attacks were detected, and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure,” says the tech company.
GADOLINIUM has extended its priority list to include the Asia-Pacific region, as well as other higher education and regional government agency goals, according to Microsoft. The threat actor has added open-source tools to his toolset over the past year, previously using custom malware, making tracking more difficult.
For years , the company has been playing with the use of cloud technology, beginning with a profile on Microsoft TechNet in 2016. The hackers misused GitHub for host commands in 2018, and related tactics were used for attacks in 2019 and 2020.
GADOLINIUM has included open-source tools in its portfolio over the past year, similar to other state-sponsored threat groups, which also results in lower overall costs for the attackers, in addition to making attribution more difficult.
The competitor embraced COVID-19 lures in his spear-phishing emails in April this year. A modified version of the open-source PowershellEmpire toolkit would result in the multi-stage infection process being delivered.
The toolkit allows the threat actor, including a command and control module that leverages OneDrive to execute commands and retrieve results, to load additional payloads onto the victim’s machine. GADOLINIUM leveraged an Azure Active Directory application to exfiltrate data into OneDrive as part of the attacks.
“The activity initially appears to be related to trusted applications using trusted cloud service APIs from an endpoint or network monitoring perspective, and there are no OAuth permission prompts in this scenario,” explains Microsoft.