A sophisticated Chinese-speaking cyberespionage group has set its sights on the ministries of foreign affairs and embassies of at least nine countries spanning Africa, the Middle East, Europe, and Asia. According to researchers from Cisco Talos, this group, dubbed “SneakyChef,” is possibly aligned with Beijing and has shown significant evolution in its operations, collecting information on various geopolitical hotspots. Talos researchers have shared their detailed findings with CyberScoop, revealing the latest tactics and tools employed by this prolific hacking group.
Expanding Targets Across Continents
SneakyChef has been using scanned government documents, often not publicly available on the internet, as lures. The group appears to be focusing on government agencies in countries such as Angola, Turkmenistan, Kazakhstan, India, Saudi Arabia, South Korea, Uzbekistan, the U.S., and Latvia. Using these targeted approaches, the hackers aim to infiltrate and collect sensitive information from these nations. Cisco Talos researchers Chetan Raghuprasad, Ashley Shen, and members of the Yahoo Paranoids Advanced Cyber Threats Team have been closely monitoring these operations.
Advanced Remote Access Tools
The primary tool in SneakyChef’s arsenal is the SugarGh0st remote access tool, a customized variant of the well-documented Gh0st RAT. SugarGh0st first came to public attention in November through Talos’s analysis. Additionally, a new remote access trojan named SpiceRAT has emerged, delivered to targets through the same email address used by SneakyChef. These tools facilitate data exfiltration and remote access, enabling the group to maintain a presence within the compromised systems.
Persistent Campaigns and Aggressive Techniques
Cisco Talos’s lead security researcher, Vitor Ventura, notes that the group’s activity has been aggressive and prolific, with rapid developments in their malware capabilities. Despite extensive monitoring, there is still insufficient evidence to link SneakyChef to a specific government agency or known contractor. Some related activities have been attributed to Chinese advanced persistent threat (APT) groups, typically state-sponsored and operating at high levels. Proofpoint researchers earlier identified SugarGh0st in campaigns targeting organizations involved in AI efforts within the U.S., including academia, private industry, and government service.
In a notable case, SneakyChef utilized non-public Indian documents to target the Indian Ministry of Foreign Affairs. A decoy Microsoft Word document contained lures related to India-U.S. relations, including a list of events involving India’s prime minister and President Joe Biden, highlighting interactions up to September 2023. This method underscores the group’s strategic targeting and adaptation to different geopolitical contexts.
The cyberespionage landscape has witnessed various Chinese-aligned hacking campaigns in the past, with groups frequently updating their tools and techniques to evade detection. SneakyChef’s recent activities demonstrate a persistent and evolving threat, aiming at acquiring sensitive geopolitical intelligence. These campaigns often use sophisticated malware to infiltrate high-value targets, reflecting an ongoing effort to gather crucial information.
Comparing recent findings with previous reports, it is evident that the tactics, techniques, and procedures (TTPs) of these groups are continually advancing. The introduction of new tools like SpiceRAT alongside SugarGh0st indicates a strategic approach to cyberespionage. The emphasis on targeting government agencies and key geopolitical players highlights a broader objective to influence and understand international relations and policies.
Organizations globally need to remain vigilant against such sophisticated cyber threats. Maintaining updated security protocols and monitoring for unusual activities can mitigate the risks posed by groups like SneakyChef. Collaborations between cybersecurity researchers and organizations are essential in identifying and countering these evolving threats. Addressing vulnerabilities and implementing robust defense mechanisms are crucial steps in protecting sensitive information from state-sponsored cyberespionage campaigns.
