A secretive and highly elusive Chinese hacking group known as GhostEmperor, infamous for its advanced supply-chain attacks on telecommunications and government sectors in Southeast Asia, has resurfaced after more than two years. Researchers indicate that the group has enhanced its capabilities to avoid detection.
In a report released on Wednesday, cybersecurity firm Sygnia revealed that it traced an incident back to GhostEmperor involving a compromised network of an unnamed client, which was then exploited to infiltrate another victim’s systems.
This marks the first report on GhostEmperor since Kaspersky Lab identified the group in 2021. Amir Sadon, Sygnia’s director of incident response research, expressed uncertainty about the lack of public updates regarding the group’s activities during the intervening period. He stated, “We don’t know. We hope that by making this information public, we can understand what has changed and why there was this gap—whether it was due to inactivity or a lack of visibility.”
GhostEmperor is recognized for utilizing a sophisticated hacking tool known as a kernel-level rootkit, typically associated with state-sponsored hacking due to the extensive resources required to develop and maintain such tools. This rootkit grants the group access to the most privileged areas of a computer’s operating system, allowing them to evade detection by endpoint detection and response (EDR) security systems.
Sadon explained, “Once you run a rootkit, it is much easier for you to evade the common EDR tools and anti-viruses because you’re actually working beneath their visibility.” Sygnia noted that the rootkit, referred to as Demodex by Kaspersky, is largely an updated version of previously described tools, but the new infection chain indicates GhostEmperor is employing more sophisticated and stealthy methods for its operations.
In Kaspersky’s 2021 report, GhostEmperor’s hackers were characterized as highly skilled, targeting numerous high-profile entities across Malaysia, Thailand, Vietnam, and Indonesia, as well as organizations in Egypt, Ethiopia, and Afghanistan. The report suggested that these attacks might have been aimed at monitoring activities in regions of geopolitical interest.
Sadon highlighted the significance of the supply-chain dynamics in the recent attack, noting that the threat actor’s primary activity upon gaining access to the client’s network was to penetrate the networks of the client’s business partners.
Azeem Aleem, Sygnia’s managing director, remarked on the group’s evolution since Kaspersky’s initial findings, particularly regarding the sophisticated methods employed by the rootkit to bypass EDR protections. He emphasized the need for organizations to be aware of their environments, stating, “There’s no 100% security; everyone will be breached, but it’s crucial to minimize the time an adversary has access to your environment.”