Trend Micro Exposes Earth Estries' Advanced Cyber Espionage Campaign Across 13 Countries

In a startling revelation, cybersecurity firm Trend Micro has uncovered an extensive cyber espionage campaign orchestrated by the Chinese Advanced Persistent Threat (APT) group known as Earth Estries. The group, also referred to as Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286, has been targeting critical infrastructure sectors across 13 countries, showcasing a sophisticated and aggressive approach to cyber warfare.

The campaign, which has been active since 2023, primarily focuses on telecommunications and government entities in the United States, Asia-Pacific, Middle East, and South Africa. Trend Micro's research indicates that Earth Estries has successfully compromised over 20 organizations across various sectors, including telecommunications, technology, consulting, chemical, transportation industries, government agencies, and non-governmental organizations (NGOs).

One of the most significant findings of the investigation is the discovery of a new backdoor called GHOSTSPIDER. This previously undocumented malware was identified during attacks on Southeast Asian telecommunications companies. GHOSTSPIDER is a multi-modular backdoor designed with several layers, allowing it to load different modules for specific purposes. Its sophisticated design includes a custom protocol protected by Transport Layer Security (TLS) for secure communication with command and control (C&C) servers, making it particularly challenging for cybersecurity teams to detect and mitigate.

In addition to GHOSTSPIDER, Earth Estries employs other advanced tools in its arsenal. The group has been observed using Space Pirates tools and MASOL RAT, the latter being a cross-platform backdoor targeting Linux servers within Southeast Asian government networks. The use of these diverse tools suggests that Earth Estries might be sourcing its malware from different malware-as-a-service providers, further complicating attribution and defense efforts.

The group's attack methodology is equally sophisticated. Earth Estries exploits vulnerabilities in public-facing servers to gain initial access. Once inside a network, they leverage living-off-the-land binaries (LOLBINs) such as WMIC.exe and PSEXEC.exe for lateral movement. This approach allows them to deploy customized malware like SNAPPYBEE, DEMODEX, and GHOSTSPIDER for long-term espionage activities.

What sets Earth Estries apart is its organizational structure and division of labor. Trend Micro's findings speculate that different actors within the group are responsible for attacks targeting specific regions and industries. Moreover, the C&C infrastructure used by various backdoors appears to be managed by separate teams, highlighting the complexity and scale of the operation.

The geographical reach of Earth Estries is particularly alarming. Victims have been identified in Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the United States, and Vietnam. This wide-ranging campaign underscores the global nature of the cyber threat landscape and the need for international cooperation in cybersecurity.

Experts at Trend Micro emphasize that Earth Estries conducts stealthy attacks that often start from edge devices and extend to cloud environments. This approach, combined with their use of various methods to establish operational networks, effectively conceals their cyber espionage activities and demonstrates a high level of sophistication.

The revelations about Earth Estries come at a time when Chinese hackers have penetrated more than a dozen telecom companies in the U.S. alone, with as many as 150 victims identified and notified by the U.S. government.

As the threat landscape continues to evolve, cybersecurity experts stress the importance of proactive defense measures. Organizations, particularly those in critical infrastructure sectors, are urged to remain vigilant and strengthen their cybersecurity postures. This includes regular security audits, implementing robust patch management systems, and adopting a zero-trust security model.

The Earth Estries campaign serves as a stark reminder of the persistent and evolving nature of cyber threats targeting critical infrastructure. As nation-state actors continue to refine their tactics and tools, the global cybersecurity community must adapt and collaborate to stay ahead of these sophisticated threats.

Visit our website to get cybersecurity updates like this, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: