The Chinese hacking saga against the U.S. and the U.K. continues to heat up. Targeted countries have set new criminal charges and sanctions against the hacking group APT31 — allegedly running cyber espionage attacks on behalf of China’s civilian intelligence agency.
However, security experts warn that another threat actor known as Earth Krahang, also allegedly tied to the government of China, has been coordinating attacks against governments in Southeast Asia, Europe, America, and Africa since 2022.
Techopedia sat with cybersecurity and national security experts to understand who Earth Krahang is, what their motives, technologies, and techniques are, and why the group should be taken seriously.
Key Takeaways
- As China-supported cyber espionage operations are revealed to the world, the country faces criticism and sanctions from the U.S. and the U.K.
- A new China-linked hacking group called Earth Krahang has been targeting governments in Southeast Asia, Europe, America, and Africa since 2022.
- Earth Krahang leverages vulnerabilities in public-facing services and uses spear-phishing emails to compromise systems.
- Earth Krahang is likely linked to the Chinese company I-Soon, which has been accused of acting as an APT-for-hire for the Chinese government.
- The ultimate goal of Earth Krahang is cyberespionage, and government organizations are their primary targets.
- Experts explain Earth Krahang’s activities and how they are impacting the current state of cyber warfare by creating a false-flag operation that misdirects suspicion and disrupts international relations.
- Show Full Guide
Experts Answer: Who is Earth Krahang?
On March 18, 2024, Trend Micro released a report with the findings of an investigation that began in 2022. Trend Micro found that the hacking group Earth Krahang was exploiting intergovernmental trust to launch cross-government attacks.
Earth Karang leverages vulnerabilities in public-facing services and uses spear-phishing emails to drop previously unseen backdoors on victims ́ systems. Researchers also found evidence that links Earth Karang to another Chine-nexus threat actor known as Earth Lusca as well as to the Chinese penetration testing company I-Soon.
Ashley-Yvonne Howard, Senior Cloud Security Strategist at Panther Labs — a modern security information and event management (SIEM) platform for the cloud —- talked to Techopedia about the group.
“Earth Krahang is a previously unidentified Chinese espionage group that successfully breached at least 70 organizations in 23 countries and targeted at least 116 across 45 countries.”
“Included in the confirmed breached organizations are 48 in the government space. Other victims are from education, telecommunications, finance, IT, and more sectors.”
Irina Tsukerman — U.S. national security lawyer and President of Scarab Rising, Inc., a security and geopolitical risk strategic advisory — also linked Earth Krahang with China and explained the synergy between the group and the People’s Republic of China (PRC).
“Earth Krahang is a type of cyber intrusion-penetration campaign that targets international government entities-actors. It is likely linked to the Chinese company I-Soon.”
Tsukerman explained that the nature of I-Soon was recently exposed in a massive leak online, and Malwarebytes speculated that while the origin of the I-Soon leak of February 2024 is uncertain, one possible explanation is a disgruntled I-Soon inside man.
Data from the leak include hacking tools and resources, evidence that links I-Soon as a private contractor that operates as an Advanced Persistent Threat (APT)-for-hire (operating for China’s Ministry of Public Security).
According to the leaked data, i-Soon infiltrated several government departments, including those from India, Thailand, Vietnam, South Korea, and NATO.
Tsukerman added:
“This type of threat actor acts as a private entity and may have distinct goals and interests but engages in sophisticated methods to the benefit of a state actor.
“I-Soon was responsible for developing the ‘commercial’ spyware and other tools that were, in fact, being used by APTs to carry out missions and operations that ultimately benefited the government agenda. The PRC uses third-party entities to obscure its role in international intelligence operations.”
Understanding the Motives Behind State-Supported Hackers
In the underground world of cybercriminals and bad actors, illegally obtained financial gains tend to be the main motivating force behind attacks. However, as geopolitical tensions increase around the world due to political and commercial differences, and fueled by armed conflicts such as the ongoing Russian invasion of Ukraine, and the Hamas-Israel war, nation-state-supported hackers are becoming every day more politically driven.
Tsukerman spoke about the complex relationships that hackers belonging to groups like Earth Krahang have with the government of China.
Patriotism, Entrapment, and Forced Cooperation
According to Tsukerman many threat actors like Earth Krahang appear to be private hackers motivated by PRC’s call to duty — patriotism.
“More often than not, there is a tacit understanding between the cyber-criminals and the government that they continue their enrichment and private acts of hacking outside their own country without legal repercussions so long as they provide informal assistance to the government in meeting their needs.”
But Tsukerman added that the level of cooperation and government support these groups get varies from hacker group to hacker group.
“It may range from voluntary and engaged cooperation to reluctant or forced operations from hackers who had been caught or entrapped and compelled to carry out intelligence operations to avoid prison.”
Earth Krahang: “A Jack of All Trades”
James McQuiggan, Security Awareness Advocate at KnowBe4 — a security awareness training and simulated phishing platform — spoke to Techopedia about what pushes Earth Krahang to launch cyberattacks and cyberespionage operations.
“APT groups like Earth Krahang are motivated by various reasons, including economic, geopolitical, and strategic interests. These motivations drive the group to target government entities, with the ultimate goal of advancing the interests of their sponsoring state.”
“They are a jack of all trades and leverage various attack vectors to help their cause. Spear phishing targets specific groups of people and socially engineers them to gain access to the organization or government entity.”
McQuiggan added that the group also leverages already-established access to government websites or emails. Then, the group emails government contacts with malicious URLs. Using known and trusted emails to increase the opportunity they trick victims into installing malware.
Earth Krahang´s Ultimate Goal and Hacking Technologies
Howard from Panther Labs had a clear answer to the question of what motivates Earth Krahang.
“The ultimate motivation of this group is cyberespionage”
Like other international cybercriminal groups, Earth Krahang’s preferred vector of attack is phishing. By establishing trust through the use of trusted email addresses, the groups operate by tricking workers and getting easy access by stealing credentials and dropping malicious payloads and backdoors.
Malware Bytes explained that government organizations seem to be Earth Krahang’s primary targets, with 48 government organizations being compromised and a further 49 other government entities being targeted. Within government organizations, Foreign Affairs Ministers are the most attacked by the group.
Digital forensics analysis reveals that Earth Krahang used Cobalt Strike and two custom backdoors, RESHELL, .NET, and XDealer — all simple backdoors with basic capabilities that allow bad actors to extract data, drop files on infected systems, execute remote system commands, and more.
In 2023, the group evolved and began using the XDealer backdoor, which compared to RESHELL, gives hackers more comprehensive backdoor capabilities.
Howard dove further into the techniques that Earth Krahang utilizes for its operations.
“They aren’t super sophisticated. They abuse this infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails via compromised government email accounts.”
Howard added that the group also deploys tactics such as setting up VPN servers on compromised public-facing servers to infiltrate victims’ private networks and conducting brute-force attacks to obtain email credentials, enabling them to exfiltrate victim emails.
False Flag Operations
As the veil is withdrawn, exposing China´s support and collaboration with threat actors, Tsukerman from Scarab Rising Inc. spoke about Earth Krahang activities and technologies.
“In intelligence parlor, their activity can to some extent fit into a category of ‘false flag operations’”.
A false flag operation is a covert maneuver where an action is performed to appear as if it was done by another party. This is done to mislead people and shift the blame.
“Some of their operations involve its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts.”
Tsukerman also said the group builds VPN servers on compromised public-facing servers to establish access into the private network of victims and perform brute-force attacks to obtain email credentials.
“These credentials are then used to exfiltrate victim emails, with the group’s ultimate goal being cyber espionage.”
Git and Idea Files, and Brute Force Techniques
Speaking about the technology the group uses, Tsukerman listed open-source scanning tools that perform recursive searches of folders such as .git or .idea files.
While Git and .idea files do not directly contain sensitive information themselves, Git and .idea files can be valuable for cyber espionage in different ways.
Git tracks changes made to code over time. An attacker could use this history to understand the project’s development process, identify vulnerabilities introduced in earlier versions, see what features are being worked on, and potentially steal unreleased code.
Git files can also reveal the project’s organization and focus. Attackers might learn about planned features, internal discussions reflected in branch names, or identify deployment schedules. In rare cases, developers might accidentally commit sensitive credentials (passwords, API keys) into the Git repository. These can be disastrous if accessed by attackers.
In contrast, .idea files are specific to JetBrains IDEs (like IntelliJ IDEA) and store project configurations. While not directly containing sensitive data, they could reveal libraries and frameworks used in the project, potentially leading to vulnerability discovery. These files can also host code formatting preferences data, which can be a minor indicator of the development team’s origin (though not very reliable).
“The threat actor also resorts to simply brute-forcing directories to help identify files that may contain sensitive information such as file paths or passwords on the victim’s servers,” Tsukerman said.
Other techniques and technologies that Earth Krahang uses, highlighted by Tsukerman include: the examination of the subdomains of their targets to find interesting and possible unmaintained servers, vulnerability scanning with tools like sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan to find web server weak points that allow them to access the server, drop web shells, and install backdoors.
“In terms of open-source tools, those are not particularly complicated and less likely to lead to the detection of a specific APT, ” Tsukerman said and added that backdoor filenames of Earth Krahang are usually related to geopolitical topics, indicating their preferred type of lure.
How Earth Krahang Influences International Cyber Warfare
Techopedia asked experts how Earth Krahang’s actions are impacting the current state of cyber warfare.
Howard from Panther Labs said the group is definitely leaving a mark. “More than half of the organizations they attacked across 23 countries are part of the government,” Howard said.
“This signifies a major need to find a more unified approach when it comes to cybersecurity because the group doesn’t seem to have a preference on which country to breach. How we help unify is by keeping up with employee training so employees can better spot phishing emails.”
Abusing Government Trust and Reaping Chaos
For Tsukerman the element of a “false-flag operation” is vital as it is used to misdirect suspicion towards a friendly government.
“And by weaponizing intergovernmental trust, (Earth Krahang) compromise diplomatic or security relations as much as the servers or mailboxes of the respective agencies.
“The presence of Earth Krahang adds an element of chaos to the cyber warfare environment by masking the trail and diverting attention from the specific types of tools and the combination of methods that could point to the I-Soon linked origin of the threat.”
As Tsukerman explains, it is not uncommon for adversarial foreign intelligence agencies to use various methods not only to disguise their own trail but to use imitation spyware to misdirect the investigation elsewhere, including towards another government or company, with the hope of wreaking havoc in relations as well as gathering intelligence.
“Even casting a temporary shadow of suspicion and complicating the international cyberwarfare landscape is enough of a success,” Tsukerman said.
As Earth Krahang and its ilk become more sophisticated Tsukerman said these groups are more likely to use their tools as frequently to start espionage or smear campaigns against governments and companies and to disrupt relations and intelligence cooperation.
The Bottom Line
The actions of Earth Krahang have a profound impact on cyber warfare and add further tensions and pressure on U.Sx., European, and other countries’ relationships with China.
China is now facing strong criticism, possible criminal charges, and sanctions from different countries that are responding to evidence that China is heavily involved in malicious cyber operations and cyber espionage around the world.
Once again, geopolitical differences are spilling over into the digital world at an alarming rate and escalation pace, impacting millions of people and governments around the world. The Chinese-supported cyber actions are a reflection of the state of global politics and global cyber warfare and are only expected to continue manifesting themselves in the near future.
