A sophisticated hacking campaign has been underway since early 2022 by a China-based advanced persistent threat group known as Earth Krahang. Targeting at least 116 organizations across 45 countries globally, the campaign has successfully breached over 70 entities. With a primary focus on government institutions, the attacks notably encompass 48 government organizations, including 10 Foreign Affairs ministries, with an additional 49 government agencies targeted.

The methods employed by Earth Krahang in their attacks involve exploiting specific vulnerabilities such as CVE-2023-32315 (Openfire) and CVE-2022-21587 (Oracle Web Apps) to target publicly accessible servers, deploying customized backdoors, and conducting spear-phishing attacks for cyber espionage. While utilizing compromised infrastructure to target other governments, the threat actors establish VPN servers on compromised systems and carry out brute-force attacks to target government email accounts.

Earth Krahang’s attacks aim to establish a presence and maneuver within victim networks, distributing malicious software and tools like RESHELL, Cobalt Strike, and XDealer. Although the group utilizes tools previously associated with other hacker groups, these tools are customized with different encryption keys.

The complete list of indicators of compromise (IoCs) for this Earth Krahang campaign has been separately published here.