Cybersecurity Alert: New Insights on Threat Actors and Malware
Uncovering a Compromised Network
While helping the affected entity remediate the compromise, we made the unexpected discovery in the victim’s network. "This campaign is also the first documented time FamousSparrow used ShadowPad, a privately sold backdoor, known to only be supplied to China-aligned threat actors."
A Global Campaign of Breaches
The campaign extended to a breach of a research institute in Mexico, two days prior to the US compromise. When researchers fed the techniques and IoCs into a tracking system, it revealed additional activities, one of which was an attack on a government institute in Honduras. ESET is still investigating the others.
Attributing the Attack to FamousSparrow
While ESET attributes the July campaign to the entity it tracks as FamousSparrow with high confidence, the firm has reservations about identifying it as Microsoft’s Salt Typhoon. "There are a few overlaps between the two but many discrepancies." It said. "Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to (Salt Typhoon),"
Microsoft’s Claim
Microsoft claims that Salt Typhoon is the same as FamousSparrow and GhostEmperor, the threat intelligence leader has yet to attribute any such activities as discovered by ESET researchers.
Conclusion
The discovery of the compromised network has revealed new insights on threat actors and malware. The campaign, attributed to FamousSparrow, has extended to multiple countries, including the US, Mexico, and Honduras. While ESET has reservations about identifying it as Microsoft’s Salt Typhoon, the firm attributes the July campaign to FamousSparrow with high confidence.
FAQs
Q: What is ShadowPad?
A: ShadowPad is a privately sold backdoor known to only be supplied to China-aligned threat actors.
Q: What is FamousSparrow?
A: FamousSparrow is an entity tracked by ESET, which attributes the July campaign to it with high confidence.
Q: Is FamousSparrow the same as Salt Typhoon?
A: ESET has reservations about identifying it as Microsoft’s Salt Typhoon, citing "a few overlaps but many discrepancies". Microsoft claims that Salt Typhoon is the same as FamousSparrow and GhostEmperor, but ESET has yet to attribute any such activities as discovered by ESET researchers.
Q: What is the purpose of the backdoor, ShadowPad?
A: The purpose of the backdoor, ShadowPad, is to provide unauthorized access to compromised systems.
Q: What is the scope of the attacks?
A: The attacks have extended to multiple countries, including the US, Mexico, and Honduras.
Q: Is ESET investigating other attacks?
A: Yes, ESET is still investigating the other attacks.
