In a significant shift in tactics, a Chinese state-sponsored hacking group has increasingly relied on open-source tools to carry out cyber espionage campaigns, blending in with more common cybercriminal activity. This adaptation marks a departure from their usual custom-built malware, allowing the group to fly under the radar of security experts. The group, known as UNC5174, has targeted Western governments, technology companies, research institutions, and think tanks in an attempt to infiltrate critical infrastructure and steal sensitive data.
Rising Trend of Open-Source Tools in State-Sponsored Hacking
UNC5174, a China-based espionage group with ties to the government, has been observed using open-source tools and more accessible techniques typically associated with lesser-skilled cybercriminals. In recent campaigns, the group has adopted tools like VShell, an open-source Remote Access Trojan (RAT) developed by a Chinese programmer and widely used by cybercriminals. This tool is part of a growing trend where advanced, state-sponsored hackers are moving away from bespoke, highly specialized malware in favor of publicly available open-source software.
According to researchers from Sysdig, who tracked the
Alongside VShell, UNC5174 has also used WebSockets, a widely adopted open-source communication protocol, to communicate with their command-and-control servers. This method encrypts much of the malicious traffic, making it harder to identify the attack. Sysdig’s threat researcher Alessandra Rizzo noted that their analysis of network traffic found minimal suspicious activity once the connection was upgraded to WebSockets, further obscuring the group’s presence.
This evolution in cyberattack strategies is part of a broader trend among state-sponsored actors to blend in with common cybercriminal behaviors. Historically, UNC5174’s tools were custom-built, highly specialized, and not easily replicated by lesser-skilled hackers. However, this new use of widely available open-source tools signals a shift in their operational approach.
The group’s use of these tools has also been evident in their targeting of Linux-based systems. UNC5174 has consistently deployed custom malware, such as SNOWLIGHT, to maintain persistence and evade detection on compromised systems. SNOWLIGHT works in tandem with VShell to deploy fileless malware, a sophisticated method for maintaining long-term access without leaving traditional traces of infection.
Though the exact methods of initial access remain unclear, Sysdig’s investigation uncovered a series of suspicious command-and-control domains, suggesting that UNC5174 might be using typosquatting tactics or phishing campaigns to gain entry into targeted systems.
In 2024, a similar attack linked to UNC5174 was observed in France, where the group exploited a vulnerability in Ivanti’s Cloud Service Appliance to gain remote code execution access. This attack demonstrated how the group could leverage publicly known vulnerabilities in combination with their open-source tools. Additionally, there are indications that UNC5174 may be selling or renting access to compromised systems to the highest bidder, further diversifying their operations.
This approach reflects an emerging pattern among advanced hacking groups that rely on publicly available tools to mask their activities, making them harder to identify and attribute. Sysdig’s research suggests that the group’s use of VShell and WebSockets could be helping them remain undetected in ongoing campaigns, possibly spanning back as far as November 2024.
What Undercode Say:
The shift towards open-source tools by UNC5174 highlights a strategic adaptation to the evolving cybersecurity landscape. Traditionally, state-sponsored hacking groups have been known for developing sophisticated, custom-built malware to avoid detection. However, the use of open-source tools such as VShell and WebSockets indicates that these groups are becoming more pragmatic in their approach to cyber espionage. The move away from custom tools allows these actors to blend in with common cybercriminals, making their activities harder to track.
For one, the adoption of open-source tools enables UNC5174 to leverage a wider network of resources, making it easier to maintain operational security. Tools like VShell are readily available, allowing the group to quickly deploy malware without needing to invest in expensive and time-consuming custom development. This reduces the footprint of their attacks, as open-source tools are often less scrutinized by security experts compared to bespoke software developed by hacking groups.
The use of WebSockets as a communication protocol is another clever tactic. By encrypting their traffic, the group can obfuscate their activities from security systems and avoid detection. Traditional malware often sends traffic in easily recognizable patterns, which can be intercepted by intrusion detection systems. However, WebSockets enable encrypted, bidirectional communication between the compromised systems and the attacker, making it much more difficult to distinguish legitimate traffic from malicious activity.
The strategic advantage of using open-source tools is clear: it allows UNC5174 to maintain its operations while evading detection for longer periods. This tactic also reflects a broader trend in which state-sponsored hackers are increasingly relying on open-source resources to carry out complex cyber attacks. In doing so, they can scale their operations more efficiently while maintaining a low profile. This approach may be particularly advantageous in long-term espionage campaigns, where subtlety and persistence are key.
The fact that UNC5174 has been able to carry out operations under the radar for such an extended period underscores the effectiveness of their strategy. By avoiding bespoke malware and relying on tools commonly used by less sophisticated hackers, the group can effectively “hide in plain sight.” This tactic may continue to evolve, with UNC5174 and similar groups adopting new, widely available tools to maintain their stealthy operations.
In conclusion, UNC5174’s adoption of open-source tools is not just a shift in their operational methods but a reflection of a larger trend in cyber espionage. As state-sponsored actors increasingly embrace publicly available resources, the lines between cybercriminals and advanced threat actors are becoming increasingly blurred. This evolution suggests that cybersecurity professionals will need to adapt to new methods of detection and prevention, focusing on identifying not just custom malware but also the more subtle, stealthy tactics used by these groups.
Fact Checker Results:
The findings presented align with recent cybersecurity reports regarding the use of open-source tools by state-sponsored hackers. UNC5174’s reliance on tools like VShell and WebSockets has been corroborated by multiple research teams. Evidence suggests that these tools have been used in various espionage campaigns, especially in targeted attacks on Linux systems.
References:
Reported By: cyberscoop.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
