A China-Linked Group Is Targeting Job Seekers in South Africa’s Cyberspace

  • Last updated April 17, 2023
  • written by

There’s a growing number of cyberattacks in South Africa, targeting its banks and telecommunications, often using fake recruitment websites. All these attacks have been linked to Mustang Panda – a threat actor based in China.

As per the data collected by Trellix, a cybersecurity organization, a sustained wave of cyberattacks has been noticed during 2022’s first quarter. This surge is not unusual if we consider December and January’s holiday-associated break.

The nature of these cyberattacks calls for extreme vigilance and alarm. Trellix disclosed that various main threat actors have been active so far, especially in 2022, in Wednesday’s cyber threat intelligence briefing conducted for South Africa.

The most prominent among them is Mustang Panda, which is also known as Bronze President and RedDelta.

This cyber-espionage group linked to China has been active since the previous decade, but there has been a significant increase in its attacks since the global pandemic, 2020. Its main objective was to accumulate intelligence on non-profits, NGOs, think tanks, and religious organizations in Europe and the USA.

Trellix, previously known as the McAfee Advanced Threat Research (ATR) Strategic Intelligence team, revealed an espionage campaign that aimed toward telecommunication organizations in 2021, dubbed Operation Diànxùn.

According to Trellix, “with a moderate level of confidence”, this particular campaign assigned to Mustang Panda “has to do with the ban of Chinese technology in the global 5G roll-out.”

South Africa’s Trellix country lead, Carlo Bolzonello, said in Wednesday’s briefing:

“Mustang Panda is quite prolific in South Africa for the last three months,”

“From a South African perspective, they’ve been very active in the last three months around the banking and wealth management sector.”

Trellix’s cyber investigations head and chief engineer, John Fokker, said that the threat actor is considered to support China’s government.

John Fokker said:

“In the past, especially in Europe, there was a big debate around 5G and about replacing 5G technology with specific Chinese-built technology at the core. And from a security perspective, this was a big debate,”

“And what we observed was Mustang Panda targeting telecommunications sectors in countries where this debate was most likely. And how they actually did it… they did actually have a fake career site, so we assume they posed as recruiters trying to recruit individuals with technical knowledge within the telecommunications sector and persuade them to open a file and then infect their computer.”

As per Fokker, the actual goal of this campaign was to determine a specific telecommunications organization’s position towards manufacturers in China.

Even though they were recently noted for their cyberattacks on the wealth management and banking sector of Africa, Bolzonello mentioned that the attacks on the telecommunications sector of South Africa were also detected during the 5G technology debate.

Bolzonello said:

“Mustang Panda is there to collect data, stick around, and exfiltrate data out and that data could be used for numerous different things,”

“So, the risk is quite high with someone like a Mustang Panda that definitely has a reason to be there, in your environment.”

Mustang Panda mostly uses PlugX (a RAT malware family’s part), which is masked as a legit file. As soon as it’s downloaded, the threat actor forms a backdoor of the target’s device for remote management, with the capability to access data and monitor the activities of users.

This isn’t the first time that the China-linked threat actors have targeted a country. A while back, thwarted cyberattacks on Queensland’s electricity company were blamed on China as well.

Leave a Reply

Your email address will not be published. Required fields are marked *