Chinese Hackers

[kyonides]

GOOGLE VS CHINESE HACKERS PART II

Google disrupts Chinese-linked hackers that attacked 53 groups globally

Feb 25 (Reuters) - Google disrupted a Chinese-linked hacking group that breached at least 53 organizations across 42 countries, the company said Wednesday.

The hacking group, tracked as UNC2814 and "Gallium,” has a nearly decade-long history of penetrating government organizations and telecommunications companies, the company said in findings shared exclusively with Reuters.

“This was a vast surveillance apparatus used to spy on people and organizations throughout the world,” John Hultquist, chief analyst with Google Threat Intelligence Group, said.

Google (GOOGL.O), opens new tab and unnamed partners terminated Google Cloud projects controlled by the hacking group, identified and disabled internet infrastructure it was using and disabled accounts the group used to access Google Sheets, which it used to carry out its targeting and data theft operations.

Using Google Sheets allowed the group to evade detection and blend into normal network traffic and was not a compromise of any Google product, the company added.

Charley Snyder, senior manager of Google Threat Intelligence Group, said the group had confirmed access to 53 unnamed entities across the 42 countries, with potential access in at least 22 more countries at the time of disruption.

Snyder declined to identify the compromised entities, but said in one case the group had installed a backdoor Google calls “GRIDTIDE” on a system containing full names, phone numbers, dates of birth, place of birth, voter ID and national ID numbers.

The targeting is consistent with efforts to identify and track select targets, the company said. “Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco’s lawful intercept capabilities.”

Chinese Embassy spokesperson Liu Pengyu said in a statement that "cyber security is a common challenge faced by all countries and should be addressed through dialogue and cooperation.

"China consistently opposes and combats hacking activities in accordance with the law, and at the same time firmly rejects attempts to use cyber security issues to smear or slander China."

The activity is distinct from separate high-profile, telecommunications-focused Chinese hacking activity tracked as “Salt Typhoon,” Google said. That campaign, which the U.S. government has linked to China, targeted hundreds of U.S. organizations and prominent U.S. political figures.

ITALIAN COUNTERTERRORISM OFFICERS EXPOSED

A Chinese hack exposes data of 5,000 Italian counterterrorism officers

Personal data of roughly 5,000 Italian Digos officers — including names, roles and postings — was reportedly obtained by hackers linked to China after a cyber intrusion into the Interior Ministry’s network between 2024 and 2025.

Why it matters: The breach potentially exposes officers involved in counterterrorism and monitoring Chinese dissidents, raising serious national security concerns and complicating Italy’s relations with Beijing.

What we know: The intrusion allowed attackers to download classified personnel data.

• Such operations are often associated with Chinese state-linked intelligence activity.
  
• Mant of the targeted officers were assigned to tracking dissidents who fled China.
  

Diplomatic paradox. In 2024, Interior Minister Matteo Piantedosi met in Beijing with his counterpart Wang Xiaohong.

• The two countries launched a three-year cooperation plan on drugs, cybercrime, human trafficking and organised crime.
  
• China also responded for the first time to a request from Italian prosecutors investigating Chinese criminal networks.
  

Between the lines: The domestic angle. A violent struggle is underway in Tuscany over control of sectors tied to the textile supply chain, including logistics and packaging.

• The escalation since summer 2024 has involved attempted murders, arson and extortion.
  
• Following a public appeal by prosecutors, hundreds of exploited workers — along with Chinese entrepreneurs facing violence — have begun cooperating with authorities.
  

What’s emerging: Investigators in Rome suspect Beijing may already possess sensitive knowledge about Italy’s investigative structures.

What we’re watching: If confirmed, the breach could force Rome to reassess cybersecurity defences and the scope of law-enforcement cooperation with China.

FBI SURVEILLANCE NETWORK BREACHED

US suspects China in breach of FBI surveillance network, WSJ reports

March 6 (Reuters) - U.S. investigators believe hackers affiliated with the Chinese government are responsible for a cyber intrusion on an internal Federal Bureau of Investigation computer network that ‌holds information related to some domestic surveillance orders, the Wall Street Journal reported on Friday.

The scope and severity of the intrusion are not known, and the investigation is in its early stages, the report said, citing people familiar with the matter.

The FBI declined ⁠to comment. The Chinese embassy in Washington did not immediately respond to Reuters' request for comment.

• The FBI began investigating abnormal log activity in the targeted system on its network February 17, according to a copy of a notification sent by the FBI to Congress this week reviewed by Reuters.
  
• Hackers targeted an unclassified system that contains information about and related to the communications of people under FBI investigation, according to ‌the ⁠notification.
  
• The FBI described the hackers' techniques as "sophisticated," and said remediation and forensic investigations were ongoing.
  
• Politico reported that the White House, National Security Agency, Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and the FBI were collaborating on ⁠an investigation into the matter.
  
• A White House official told Reuters it "regularly convenes meetings to discuss any cyber threat to the U.S.," but that it would ⁠not discuss the details of any particular incident or particular meetings.
  
• CISA referred questions to the FBI, which declined to comment. The NSA ⁠did not respond to a request for comment.
  

SOUTH AMERICAN TELECOMS HIT BY CHINESE HACKERS

China-Linked Hackers Use Malware Trio for Telecom Espionage
Researchers Tie UAT-9244 Intrusion to Famous Sparrow and Tropic Trooper

A China-linked cyberespionage group has been targeting telecommunications providers in South America since 2024 using a set of newly discovered malware tools designed to maintain persistent access to critical communications infrastructure, Cisco Talos researchers found.

The threat intelligence company tracks the group as UAT-9244 and says it overlaps with Chinese advanced persistent threat groups Famous Sparrow and Tropic Trooper.

Famous Sparrow has been active since at least 2019, with a history of targeting hotels, governments, international organizations and law firms. Tropic Trooper has operated since at least 2011, focusing primarily on government agencies, transportation networks and high-tech industries across Taiwan, the Philippines and Hong Kong, with more recent activity reported in the Middle East.

The campaign focuses on telecommunications networks, which provide access to large volumes of sensitive communications data and can serve as strategic intelligence collection points for nation-state actors.

Cisco Talos identified three previously undocumented malware families used in the intrusions: a Windows backdoor dubbed TernDoor, a Linux backdoor called PeerTime and a credential brute-forcing tool known as BruteEntry.

Researchers observed the attackers using DLL side-loading techniques to deploy TernDoor, a process in which a legitimate executable loads a malicious library that decrypts and launches the final payload in memory, injected into the Windows process msiexec.exe to blend in with routine system behavior. Once deployed, the backdoor enables operators to execute commands remotely, collects system information and manipulates files on compromised machines.

Talos said TernDoor traces its lineage through CrowDoor - a backdoor previously associated with Chinese cyberespionage activity - back to SparrowDoor, an older implant long attributed to Famous Sparrow. To maintain persistence, TernDoor creates a scheduled task and modifies related registry keys to conceal it from standard system views. It also sets a Windows Registry Run key that relaunches the malware at every user login. The implant also installs a malicious Windows driver capable of suspending or terminating processes, a technique that can help attackers evade security monitoring tools.

The second tool, PeerTime, is an ELF-based backdoor designed to run across multiple processor architectures, including ARM, MIPS, PowerPC and AArch64, enabling it to infect a range of Linux servers, routers and embedded systems commonly deployed in telecommunications environments. Talos identified two versions of the implant: one written in C/C++ and a second built in Rust.

Unlike traditional malware that communicates with a centralized command-and-control server, PeerTime uses the BitTorrent protocol to retrieve instructions and download additional payloads from peers. Researchers said this approach helps obscure the attackers' infrastructure and complicates detection. They said the instrumentor binary accompanying the malware contains debug strings written in Simplified Chinese, a linguistic indicator the researchers said ties the campaign directly to Chinese-speaking operators.

The malware also can disguise its processes as legitimate system programs while executing commands and transferring files between infected systems.

The third component, BruteEntry, is used to convert compromised edge devices into scanning infrastructure - known as operational relay boxes - capable of conducting credential brute-force attacks against exposed services. Written in Go, the tool registers with a command-and-control server and receives lists of IP addresses to probe.

BruteEntry scans for services such as SSH, Postgres and Tomcat and attempts authentication using built-in credential lists. When valid credentials are identified, the information is transmitted back to the attackers' command infrastructure, with the C2 response indicating whether each brute-force attempt succeeded or failed.

Researchers said the tool effectively turns compromised systems into a distributed scanning network, allowing the attackers to probe large portions of the internet for vulnerable systems and expand their access into additional networks.

The intrusions add to a growing body of reported Chinese espionage activity against telecommunications providers globally. Salt Typhoon, a separate China-linked group, previously compromised at least nine major U.S. carriers and breached systems across more than 80 countries. Researchers identified continued Salt Typhoon activity into early 2026 (see: Norway Says Salt Typhoon Hackers Hit Vulnerable Systems).