Unfading Sea Haze | |
Location | China |
Date of initial activity | 2018 |
Suspected attribution | Cybercriminal |
Government Affiliation | Unknown |
Motivation | Cyberespionage |
Associated tools | SilentGh0st |
Software | Windows |
Overview
Unfading Sea Haze primarily targets high-level organizations in the South China Sea region, with a particular focus on:
Military Organizations: Unfading Sea Haze has shown a keen interest in military entities, aiming to gather intelligence and sensitive information that could provide strategic advantages.
Government Agencies: The group targets various government departments and agencies, likely to extract information related to national security, policy decisions, and diplomatic communications.
Political Institutions: Political parties and institutions are also on their radar, as gaining insights into political strategies and maneuvers can be valuable for influencing regional dynamics.
Educational Institutions: Universities and research centers involved in political or military research are targeted to access cutting-edge research and intellectual property.
Think Tanks: Organizations that provide strategic analysis and policy recommendations are targeted for their insights into regional and global political dynamics.
Attack Vectors
Phishing Emails
Exploitation of Vulnerabilities
Malicious Attachments
Remote Access Tools
How they operate
At the core of Unfading Sea Haze’s operations is their use of the Gh0st RAT framework, a versatile remote access tool that allows for extensive control over compromised systems. This tool, alongside its variants, is employed to establish and maintain persistent access to target networks. The group has also developed and used various .NET payloads, which demonstrate their capability to adapt and innovate based on the specific requirements of their campaigns.
One of the notable aspects of Unfading Sea Haze’s operations is their use of SharpJSHandler, a tool that functions similarly to a web shell but operates without relying on IIS servers. Instead, SharpJSHandler listens for HTTP requests and executes encoded JavaScript code using the Microsoft.JScript library. This flexibility allows the threat actor to adapt their tactics based on the environment they are targeting. Additionally, variations of SharpJSHandler have been observed using cloud storage services like DropBox and OneDrive for communication, evading traditional detection methods associated with web shells.
The group’s attack vectors are diverse and include phishing emails, which are used to deliver malicious payloads and gain initial access. Exploitation of known vulnerabilities in software and systems is another method employed to breach target networks. Malicious attachments embedded in emails or distributed through other channels further facilitate initial access and system compromise. Once inside a network, Unfading Sea Haze uses remote access tools and command and control (C2) channels to maintain and extend their access, exfiltrating sensitive data and executing commands remotely.
Unfading Sea Haze’s persistence and the ability to adapt their tactics highlight the group’s proficiency in cyber espionage. Their focus on military and government targets in the South China Sea underscores their strategic objectives and alignment with broader geopolitical interests. By leveraging a combination of established tools and custom-developed payloads, the threat actor remains a significant concern for cybersecurity professionals and organizations operating in the region.
MITRE Tactics and Techniques
T1071.001 – Application Layer Protocol: Web Protocols: Use of HTTP and other web protocols for command and control.
T1133 – External Remote Services: Exploiting external remote services to gain unauthorized access.
T1218 – Signed Binary Proxy Execution: Using signed binaries to execute payloads.
T1059.001 – Command and Scripting Interpreter: PowerShell: Execution of malicious scripts through PowerShell.
T1064 – Scripting: Execution of scripts to perform actions within the target environment.
T1105 – Ingression of Remote File Copy: Transfer of files to and from the compromised system.
T1070.001 – Indicator Removal on Host: Clear Windows Event Logs: Clearing event logs to remove traces of activities.
T1203 – Exploitation for Client Execution: Exploiting vulnerabilities in client applications for execution.
Impact / Significant Attacks
2018 – Philippine Navy: Initial attacks targeted military networks, including those associated with the Philippine Navy.
2019 – Philippine Coast Guard: The group conducted further operations against maritime security organizations, such as the Philippine Coast Guard.
2020 – Indonesian Ministry of Foreign Affairs: Unfading Sea Haze expanded their focus to include diplomatic and foreign affairs institutions in the region.
2021 – Vietnam Ministry of Defense: The group targeted the Ministry of Defense in Vietnam, reflecting a continued interest in military and defense-related information.
2022 – Malaysian Ministry of Defense: The group’s activities included attacks on the Malaysian Ministry of Defense, emphasizing their ongoing focus on regional military organizations.
2023 – Brunei Ministry of Foreign Affairs: Recent attacks have targeted Brunei’s Ministry of Foreign Affairs, highlighting the group’s persistent interest in diplomatic and government networks within the South China Sea region.
