Chinese Hackers Using Open Source Tools To Launch Cyber Attacks

Three Chinese state-backed threat groups, APT10, GALLIUM, and Stately Taurus, have repeatedly employed a modified version of the open-source network scanning tool NBTscan over the past decade. 

NBTscan, designed for network discovery and forensics, sends NetBIOS status queries to IP addresses within a specified range. 

By analyzing the responses, it extracts valuable information like IP addresses, computer names, logged-in usernames, and MAC addresses, as these threat groups have leveraged NBTscan’s capabilities to gather intelligence on target networks and compromise systems.

APT10, a Chinese threat group, has been identified as using a modified NBTscan tool to conduct reconnaissance against multiple targets.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

In Operation Cloud Hopper, they targeted managed IT service providers, searching for vulnerable endpoints and gathering system information. 

Similarly, in Operation Soft Cell, they focused on telecommunications providers worldwide, using NBTscan to identify available NetBIOS name servers, which allowed APT10 to map network infrastructure and identify potential entry points for further attacks.

Microsoft identified GALLIUM, a Chinese state-affiliated threat group, as the perpetrator of attacks on global telecommunication providers in 2019, which employed a range of tools, primarily commercial or modified security software, to conduct reconnaissance and lateral movement within targeted networks. 

Among these tools, NBTscan was utilized to identify open NetBIOS nameservers on both local and remote TCP/IP networks, facilitating the group’s reconnaissance efforts.

The Chinese cyber espionage threat actor Stately Taurus, also known as Mustang Panda, has been identified as using the NBTscan tool to scan infected environments for live hosts, open ports, and domain information. 

This tool has also been reported to be used by other Chinese threat groups, such as Earth Lusca and TGR-STA-0043.

Over the past decade, Chinese threat actors have repeatedly employed NBTscan or modified versions of it, indicating its popularity among them.

APT40, a Chinese state-sponsored hacking group, has been utilizing the ScanBox reconnaissance tool for several years, which is a JavaScript-based framework that collects information about visitors to compromised websites, including their system details, location, and keystrokes. 

It has used ScanBox in targeted phishing campaigns against Australian government agencies, news media companies, and wind turbine manufacturers by customizing the ScanBox script for its campaigns and has been observed using it in conjunction with election-themed lures.

Chinese state-aligned APT group TGR-STA-0043, responsible for Operation Diplomatic Specter, has shifted its tactics by utilizing the newly developed penetration testing toolset Yasso. 

Unlike older tools often used by Chinese threat actors, Yasso offers advanced features like SQL penetration functions and database capabilities, which suggests a more sophisticated and well-resourced threat actor, potentially a state-sponsored group rather than a hired hacker. 

TGR-STA-0043 has been targeting governmental entities in the Middle East, Africa, and Asia, aiming to obtain sensitive information related to diplomacy, economics, military operations, and political affairs.

Earth Krahang, a Chinese-nexus threat actor, heavily employs open-source scanning tools to identify vulnerable targets for attacks such as sqlmap, nuclei, xray, pocsuite, and wordpressscan, which are often developed by Chinese-speaking developers. 

The Natto Team discovered a repository called “Scanners Box” containing hundreds of open-source scanning tools, many of which are Chinese-developed, which indicates a significant enthusiasm among Chinese developers for creating scanning tools, reflecting the popularity and importance of such tools in the security landscape.

Download Free Incident Response Plan Template for Your Security Team – Free Download