China-Backed APT Group Culling Thai Government Data

An emergent China-aligned threat actor called CeranaKeeper has orchestrated a massive data exfiltration effort across Southeast Asia, most recently launching a barrage of cyberattacks against government institutions of Thailand.

The group has been working since early 2022, according to ESET researchers. Analysis showed CeranaKeeper was using components common with the known Chinese-backed APT group Mustang Panda, in addition to fresh tools for undermining legitimate file-sharing services, including Pastebin, Dropbox, OneDrive, and GitHub.

“Based on our findings, we decided to track this activity cluster as the work of a separate threat actor,” a new ESET report said. “The numerous occurrences of the string [Bb]ectrl in the code of the group’s tools inspired us to name it CeranaKeeper; it is a wordplay between the words beekeeper and the bee species Apis Cerana, or the Asian honey bee.”

CeranaKeeper broke into Thai government systems through a brute-force attack against a local area network domain control server in mid-2023, ESET said. From there the group was able to get privileged access, deploy the Toneshell backdoor and a credential dumping tool, and also abuse a legitimate Avast driver to disable security protections.

Once comfortably in the network, the group began a massive data harvesting effort, ESET observed.

The group is “relentless,” rapidly evolving, and nimble, ESET warned.

“The operators write and rewrite their toolset as needed by their operations and react rather quickly to keep avoiding detection,” ESET added. “This group’s goal is to harvest as many files as possible and it develops specific components to that end.”

The Chinese government uses APT groups like Mustang Panda and CeranaKeeper to support government activities through espionage and other cybercrimes.