Threat Hunter discovered a set of domains that had not been reported before returning to May 2020.
“The domain dates back several years ago and further confirms that the oldest registration activity occurred in May 2020 and that the 2024 chloride attack was not the first activity carried out by this group,” Silent Push said in a new analysis she shares with Hacker News.
The identified infrastructure, which is a total of 45 domains, has been identified as sharing some degree of overlap with another China-related hacking group tracked as UNC4841, best known for its use of zero-day security flaws on the Barracuda Email Security Gateway (ESG) appliance (CVE-2023-2868, CVSS score: 9.8).
The salt Timbone, which has been active since 2019, has made extensive attention last year on targeting telecommunications service providers believed to be operated by China’s Ministry of National Security (MSS). The Threat Cluster shares similarities with activities tracked as Earth Esther, Celebrities, Ghost Emper, UNC5807.
Silent Push said it has identified three Proton email addresses that were used to register up to 16 domains with non-existent addresses.
Further investigation of IP addresses associated with 45 domains revealed that many of these domains point to high density IP addresses. These refer to IP addresses that many host names currently point to or pointed out in the past. Although pointing to a low density IP address, initial activity dates back to October 2021.
The oldest domain identified as part of a China-backed cyberspy campaign is online[.]com, registered on May 19, 2020 by a fake persona called Monikakuchi, claiming to be resident of 1294 Koontz Lane in Los Angeles, California.
“As a result, we are strongly urged by organizations that we believe ourselves to risk espionage in China to search DNS logs for the past five years for requests to either the archive feed or the domains of its subdomains,” Silent Push said.
“It would also be wise to check requests to any of the listed IP addresses, especially during the period during which this actor has manipulated them.”
Source link
