Google’s Threat Intelligence Group Uncovers Chinese-Hackers Using Google Calendar for Espionage
In a startling and concerning revelation, Google’s Threat Intelligence Group (GTIG) has identified a sophisticated cyber-espionage campaign orchestrated by a group of hackers connected to China. This group, known as APT41 or HOODOO, is suspected to have links to the Chinese government, highlighting the persistent threat of state-sponsored cyber activities targeting sensitive information across the globe.
The attack was initiated using a method known as spear phishing, which involves sending highly tailored emails to specific individuals or organizations. These deceptive emails included a link directing victims to a ZIP file that was hosted on a compromised government website. Once a target clicked on the link and downloaded the ZIP file, they were presented with a shortcut file that was cleverly disguised as a PDF document, as well as a folder filled with seemingly innocuous images of insects and spiders.
However, beneath the surface of this disguise lay a malicious intent. Two of the images were actually laced with malware. When victims unwittingly clicked on the shortcut, they unwittingly triggered the malware, which then replaced itself with a counterfeit PDF document that misleadingly appeared to provide information about species export regulations. This tactic was likely employed to divert suspicion from the hacking attempt.
The malware operated in a methodical three-step process. Initially, it decrypted and executed a file named PLUSDROP directly in the computer's memory. Subsequently, it exploited a recognized Windows process to surreptitiously execute harmful code. In the final phase, a program known as TOUGHPROGRESS executed commands and systematically extracted sensitive data from the infected system.
What sets this attack apart from typical hacking efforts is the innovative use of Google Calendar as a communication medium between the hackers and their malware. The malware created short, zero-minute calendar events on specific dates. These events contained encrypted data or covert instructions hidden within their description fields. The malware was programmed to regularly monitor these calendar events for new commands issued by the hackers. Upon completing a task, it would generate another event containing the stolen data, effectively utilizing Google Calendar as a covert command and control center.
Google disclosed that the campaign was discovered in October 2024 after malware was detected spreading from a compromised government website. In response to the threat, the tech giant promptly took action by shutting down the calendar accounts that were exploited by the hackers and dismantling other components of their online infrastructure. This incident underscores the evolving tactics employed by cybercriminals and the importance of vigilance in cybersecurity practices.
