# Chinese Cyber-Espionage Group Hacked Government Data Center **[bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/](https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/)** Catalin Cimpanu By [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) June 15, 2018 10:00 AM 0 A Chinese-linked cyber-espionage unit has hacked a data center belonging to a Central Asian country and has embedded malicious code on government sites. The hack of the data center happened sometime in mid-November 2017, according to a [report published by Kaspersky Lab earlier this week.](https://securelist.com/luckymouse-hits-national-data-center/86083/) Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group [3390, Bronze Union, ZipToken, and Iron Tiger [1,](https://www.secureworks.com/research/bronze-union) [2,](http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states) [3,](https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage) [4,](https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/) [5].](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/) ## Hackers redirected visitors of government sites to malware Kaspersky researchers say LuckyMouse used access to the data center to add JavaScript code to government sites, which redirected users to malicious sites hosting exploitation [tools such as ScanBox and](http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html) [BEeF (Browser Exploitation Framework).](http://beefproject.com/) ----- On these sites, these tools would attempt to infect users with HyperBro, a remote access trojan that operated via an "in-memory" state, leaving minimal traces on disk that could be identified by antivirus solutions. Researchers say they found evidence of this end-user infection campaign taking place from December 2017 to January 2018. Kaspersky didn't name the Central Asian country, but they did say LuckyMouse targeted it before in previous campaigns. The Russian antivirus vendor also didn't say how hackers breached the data center hosting government sites, as they didn't have enough evidence to formulate a conclusion. ## LuckyMouse hacked a MikroTik router to host their C&C server Another detail that also stood out was that LuckyMouse appears to have hacked a MikroTik router to host the command and control server of the HyperBro RAT. Attackers would use this router to control and retrieve data from infected victims, putting an additional layer of anonymity between them, victims, and forensic investigators. This is not the first time that nation-state hackers have used routers as part of their attack [infrastructure, this being a very popular trend recently (let's not forget](https://www.bleepingcomputer.com/news/security/cyber-espionage-groups-are-increasingly-leveraging-routers-in-their-attacks/) [VPNFilter), but it is](https://www.bleepingcomputer.com/news/security/nation-state-group-hacked-500-000-routers-to-prepare-a-cyber-attack-on-ukraine/) the first time they hosted a C&C server on one. "The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites," Kaspersky expert Denis Legezo explained. "Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign." ### Related Articles: [Hackers target Russian govt with fake Windows updates pushing RATs](https://www.bleepingcomputer.com/news/security/hackers-target-russian-govt-with-fake-windows-updates-pushing-rats/) [Chinese ‘Space Pirates’ are hacking Russian aerospace firms](https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/) [Google: Chinese state hackers keep targeting Russian govt agencies](https://www.bleepingcomputer.com/news/security/google-chinese-state-hackers-keep-targeting-russian-govt-agencies/) [Cyberspies use IP cameras to deploy backdoors, steal Exchange emails](https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to-deploy-backdoors-steal-exchange-emails/) [Trend Micro fixes bug Chinese hackers exploited for espionage](https://www.bleepingcomputer.com/news/security/trend-micro-fixes-bug-chinese-hackers-exploited-for-espionage/) [APT](https://www.bleepingcomputer.com/tag/apt/) [China](https://www.bleepingcomputer.com/tag/china/) [Cyber-espionage](https://www.bleepingcomputer.com/tag/cyber-espionage/) [Data Center](https://www.bleepingcomputer.com/tag/data-center/) [Drive-By Download](https://www.bleepingcomputer.com/tag/drive-by-download/) ----- [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page. [Previous Article](https://www.bleepingcomputer.com/offer/deals/get-98-percent-off-the-ultimate-backend-developer-bundle-deal/) [Next Article](https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----