>samit_hota
Back to adversary profiles
G0062HighActive

TA459: China-Backed Espionage Group Targeting Eurasian Interests

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Information Theft
Aliases
None documented
Target Sectors
Telecommunications, Military, Defense, Government, Financial Services (analysts covering CIS/telecom), Media, Human Rights Groups
Associated Malware
PlugX, ZeroT, NetTraveler, Saker, Netbot, DarkStRat, PCrat/Gh0st RAT, Chinoxy
#threat-actor#g0062

Overview

TA459, tracked by MITRE ATT&CK as G0062, is a persistent and sophisticated advanced persistent threat (APT) group widely believed to operate out of China. This group has been actively conducting cyber espionage operations since at least 2013, focusing primarily on intelligence collection relevant to Beijing’s strategic interests. Their targeting encompasses a range of entities in Russia and Central Asian countries such as Belarus, Mongolia, Afghanistan, Tajikistan, and Kazakhstan. While their core objective is espionage, particularly related to military posture, telecommunications infrastructure, and political developments across former Soviet states, TA459 also demonstrates a unique “collateral targeting” pattern, frequently compromising financial analysts who cover the telecommunications industry, rather than solely attacking the telecom firms directly. This indicates a methodical approach to gathering comprehensive intelligence.

Tactics & Techniques

TA459 consistently employs spear-phishing as its primary initial access vector. These campaigns are notably well-crafted, often featuring lures tailored to the victim’s native language (e.g., Russian for Russian targets) and topically relevant filenames. Malicious attachments are a common delivery method, often leveraging weaponized Microsoft Word documents.

The group has a history of exploiting publicly disclosed vulnerabilities rapidly. For instance, they exploited CVE-2017-0199, a Microsoft Word HTA logic flaw, within days of its public disclosure in a campaign targeting financial analysts. Another notable exploit was CVE-2012-0158, a Microsoft MSCOMCTL.OCX buffer overflow, used in a 2015 campaign against Russian telecom and military organizations.

A typical TA459 attack chain involves a victim opening a malicious document from a spear-phishing email. This action triggers a cascade, often downloading an HTML Application (HTA) file, which then executes embedded VBScript or PowerShell to fetch and run their custom ZeroT downloader. For persistence, TA459 utilizes techniques such as DLL side-loading (T1574.002) and manipulating Registry Run Keys/Startup Folder (T1547.001). They establish command and control (C2) channels designed to blend in, often using HTTP and employing techniques like disguising payloads as bitmap images via LSB steganography (T1027.003) for ZeroT, making detection more challenging. Their C2 infrastructure frequently involves dedicated domains, some of which are look-alike domains mimicking legitimate Russian sites to enhance credibility.

Notable Campaigns

TA459 has been observed in significant campaigns since at least 2013. Early activity, retrospectively documented by ESET, involved targeting military installations in Afghanistan and Tajikistan.

A pivotal moment for public awareness of TA459 came with Proofpoint’s 2015 report, “In Pursuit of Optical Fibers and Troop Intel,” which detailed operations against Russian military and telecommunications organizations. This campaign leveraged CVE-2012-0158.

In 2017, the group launched a campaign specifically targeting financial analysts covering the telecommunications industry in Russia and neighboring countries, exploiting the then-recently patched CVE-2017-0199. This demonstrated their ability to quickly integrate new vulnerabilities into their arsenal.

More recently, in April 2022, TA459 targeted media personnel with malicious Royal Road RTF attachments to deploy Chinoxy malware. The targeted entity was reportedly involved in reporting on the Russia-Ukraine conflict, aligning with TA459’s historical mandate of collecting intelligence related to Russia and Belarus. Reports from January 2023 also indicate TA459 actively targeting financial sector organizations with updated versions of PlugX and PCRat/Gh0st RATs, showcasing sustained operational continuity.

Associated Malware & Tools

TA459 possesses a diverse and evolving malware arsenal, often leveraging both well-known Chinese APT tools and custom-built malware. Key implants include:

  • PlugX: This is a feature-rich Remote Access Trojan (RAT) commonly used by numerous Chinese APT groups, enabling file exfiltration, keylogging, screenshots, and remote command execution.
  • ZeroT: A custom-built downloader that serves as a stage-1 loader for other payloads like PlugX. It employs RC4 encryption for C2 traffic and uses LSB steganography to conceal its payload within bitmap images, making it a distinctive element of TA459’s tradecraft.
  • NetTraveler (aka TravNet): A RAT used in campaigns as early as 2016 against Russian and European targets, including weapons manufacturers and human rights groups.
  • Saker, Netbot, DarkStRat: These malware families were reportedly used in early campaigns around 2013.
  • PCrat/Gh0st RAT: A variant of Gh0st RAT used alongside PlugX in some campaigns, including those targeting the financial sector in 2023.
  • Chinoxy: A backdoor observed in use by TA459 in April 2022 campaigns against media personnel.

The group’s use of ZeroT, combined with its specific geographic focus and targeting patterns, often helps distinguish TA459 from other China-linked actors who might use overlapping tools like PlugX.

Current Status

TA459 remains an active and persistent threat. Intelligence indicates continuous operations since at least 2013, with consistent refinement of their tradecraft, malware, and targeting. Recent activity documented in January 2023 by SecurityWeek confirms their ongoing targeting of financial sector organizations using PlugX and PCRat/Gh0st RATs. Their consistent use of spear-phishing, rapid exploitation of new CVEs, and the continuous evolution of their custom tools like ZeroT highlight an adaptive adversary with sustained operational continuity. Organizations in their target aperture, particularly those with exposure to Russia, CIS states, or financial analysis covering these regions, should remain vigilant.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call