In late January, the Chinese-speaking group Xiaoqiying (Genesis Day, Teng Snake) attacked 12 research and academic institutions in South Korea to steal data, according to a new report from security researchers Insikt Group at Recorded Future.
Attacks on South Korean institutions began on January 25. In particular, scientific research institutes, medical academies and research institutes suffered. Based on an analysis of the group's Telegram channels, forum posts, and the group's online presence, the experts concluded that Xiaoqiying is a hacktivist group that is not primarily interested in financial gain. Cybercriminals are motivated by patriotism towards China.
According to experts, since the discovery of the campaign, hackers have already carried out a series of new cyber attacks against organizations in Japan and Taiwan. Experts believe that the group will carry out similar cyber attacks against the West and NATO countries, as well as any country hostile to China.
The researchers found 2 Telegram channels of the group: one for posting messages and the other for several other hackers, but both channels were closed in February when the media began covering cyberattacks in South Korea. Before closing the channels, the group recruited new members through Telegram.
On one of the Telegram channels (with 700 subscribers at the time of shutdown), the Xiaoqiying hackers claimed to have stolen a total of 54 GB of data from various organizations.
Insikt researchers said the channel contained dozens of unverified allegations of cyberattacks in 2022 that affected the US FBI, Ukraine, the South Korean Ministry of Health and Defense, Taiwan and Japan. The hackers also claimed to have gained access to Samsung's internal network.
The partnerships advertised on the channel included collaborations allegedly with Lapsus$, Hive, Pakistani and Russian hacker groups. Chat logs reviewed by the researchers showed that the group routinely hacked IoT devices using popular penetration testing tools and PoC exploits.
The group's connection to the Chinese government has not been established, but the fact that the group never sought to "make money" from the access or stolen data suggests that the hackers are ideologically motivated.
From the Telegram channel, Insikt Group researchers managed to obtain, among other things:
- data stolen from various companies;
- source codes and malware samples;
- files associated with US government agencies;
- stolen credit card information.
It is noteworthy that after the closure of Telegram channels, Xiaoqiying members continued to advertise their activities on their website on the public Internet.
Chinese hackers are not the only ones carrying out attacks on South Korea. Thus, North Korean cybercriminals are very strong opponents of South Korea in cyberspace. For example, the Google TAG team recently stated that ARCHIPELAGO North Korean government hackers are carrying out attacks on government and military personnel, think tanks, politicians, scientists and researchers in South Korea and the United States.