2 min Security

Chinese phishing campaign targets European government entities

Chinese phishing campaign targets European government entities

Chinese entities are targeting European government entities. Researchers say the hackers appear to be motivated by intelligence gathering, not financial gain.

This week researchers at cybersecurity company Check Point announced that they had uncovered a sophisticated hacking campaign aimed at multiple European government entities.

Check Point says it has spent “the last couple of months” tracking the activity of a Chinese threat actor targeting governmental foreign and domestic policy entities as well as embassies in Europe.

The researchers have dubbed the campaign under the name “SmugX”. It has been active since at least December 2022. The group is likely a direct continuation of a previously reported campaign attributed to RedDelta (and to the Mustang Panda group to some extent).

The campaign uses HTML Smuggling and results in downloading a JavaScript or a ZIP file. This leads to a long infection chain which results in PlugX malware infection of the victim, CPR says.

A shifting trend in targeting

Most of the targeted countries in the campaign are Eastern European/CEE countries like Ukraine, Czech Republic, Slovakia and Hungary. However, Check Point says that the group has also targeted Britain and France. They assess that “the goal of the campaign is to get a hold of sensitive information on the foreign policies of those countries”.

CPR says that this targeting “represents a larger trend within the Chinese ecosystem”. They relate this to other China-based groups’ activities they have seen. It signals a shift in targeting towards European entities, with a focus on foreign policy.

Indeed, the majority of the documents used as phishing lures contained diplomatic-related content. In some cases, the content was directly related to China and human rights in China. There’s no doubt that it was intended to pique the interest of European government workers.

In addition, the names of the archived files themselves strongly suggest that the intended victims were diplomats and public servants in these government entities.

This targeting priority implies that the goal of the SmugX phishing campaign is ultimately some form of espionage.