Chinese nexus threat groups are showing increased interest in exploiting zero-day vulnerabilities, raising alarm across the Asia-Pacific region, which is a primary target for these malicious attacks, according to a cybersecurity expert on Tuesday.
Alex Shim, the consulting leader for South Korea and Japan at Mandiant, a Google-owned cybersecurity firm, highlighted prominent threats targeting the APAC region during a press briefing at Google’s South Korea branch. His presentation was based on findings from the company’s annual report, “M-Trends,” which analyzed global threats over the past year.
The expert emphasized the increasing focus of Chinese hacking groups on exploiting zero-day vulnerabilities—unknown security flaws that can be abused undetected, leaving developers no time to patch them. In particular, he highlighted the activities of a suspected Chinese cyber espionage cluster, designated by the company as an uncategorized (UNC) threat group 4841. Mandiant classifies threat actors as UNC if they do not fall into either the advanced persistent threat (APT) or financially motivated (FIN) categories.
According to Shim, UNC4841 focused its activities on Asia-Pacific countries last year. The attackers exploited a zero-day vulnerability in an email security gateway application, a service designed to secure email transmission by filtering fraudulent messages. This allowed them to monitor overall online communications, facilitating their efforts to search for and exfiltrate the information they needed. The company traced these activities back to at least October 2022.
The expert pointed out that UNC4841 selects targets that serve the geopolitical and military interests of the Chinese government. According to the report, the threat actors focused their operations on individuals associated with the Ministry of Foreign Affairs in Southeast Asian countries and research organizations in Taiwan and Hong Kong. Shim did not disclose additional information on other countries targeted by the Chinese threat actors beyond those mentioned in the report.
The consulting leader revealed that the company has detected 17 cases of zero-day exploits linked to alleged Chinese nexus threat actors. Shim further warned of Chinese hackers targeting edge devices, which serve as network endpoints and facilitate data transmission between networks.
“Generally, attackers have used phishing attacks to obtain what they need. Many security measures have been implemented to counter these activities,” Shim explained. “Therefore, they are now turning to exploiting zero-day vulnerabilities in edge devices, which do not have equivalent protections.”
Related article: South Korea ranks as the most targeted country after US and Ukraine, US cyber firm reveals
South Korea stands as one of the countries most frequently targeted by cybercriminals, trailing only behind the United States and Ukraine, an expert at a U.S. cybersecurity company revealed on Tuesday.
Luke McNamara, a principal analyst at Mandiant, a cybersecurity firm owned by Google, revealed during a press briefing at Google’s South Korean office that South Korea ranked third on the company’s “cyber threat risk score.” Drawing from both internal and public data from last year, the U.S.-based firm evaluated the cyber threat levels in twenty-five countries, excluding China and Russia.
According to McNamara, the “cyber threat risk score” considers both the frequency and potential impact of the attacks that a given country experiences. These attacks can vary in nature, encompassing everything from cybercrime and cyberespionage to information operations and hacktivism. For instance, while a country may frequently face distributed denial of service (DDoS) attacks, these may not be as devastating as malware attacks which target the operational technology used in critical infrastructure. READ MORE
