Full Report
Google Threat Intelligence Group said it developed means to counter the activity, which it linked to APT41. The post Chinese hackers used Google Calendar to aid attacks on government entities appeared first on CyberScoop.
Analysis Summary
# Threat Actor: APT41 (Wicked Panda, Winnti, Double Dragon)
## Attribution & Identity
**Attribution:** Suspected People’s Republic of China-backed hackers, linked to the Chinese Ministry of State Security (MSS).
**Known Aliases and Associated Groups:** APT41, Wicked Panda, Winnti, Double Dragon.
## Activity Summary
The article focuses on a recent campaign discovered in late October of the previous year, where APT41 was observed exploiting a government website hosting malware. This campaign specifically involved the use of Google Calendar for Command and Control (C2) communications to maintain stealth. Google Threat Intelligence Group developed custom countermeasures to dismantle the infrastructure used in this specific operation. APT41 has been increasingly active since 2019, targeting a wide array of sectors. In 2020, the US Justice Department charged seven individuals linked to this group for hitting hundreds of targets globally.
## Tactics, Techniques & Procedures
- **Command and Control (C2):** Leveraging legitimate cloud services (specifically Google Calendar) to host encrypted commands and blend with authentic activity.
- **Malware Delivery:** Employing spearphishing emails hosted on exploited government websites, accompanied by phony files and decoy PDFs.
- **C2 Execution Mechanism:** The malware (`TOUGHPROGRESS`) reads and writes events in an attacker-controlled Google Calendar. It places encrypted commands on specific past dates, polls the Calendar, decrypts the commands, and then encrypts execution results before writing them back to another Calendar event.
- **TTP Category:** Misuse of cloud services for C2, a common technique used by threat actors seeking to blend in with legitimate traffic.
## Targeting
- **Sectors:** Government entities (primary focus of the recent campaign), entertainment, technology, and automotive sectors (based on historical activity).
- **Geography:** Targets reported in the United States and elsewhere (historical context).
- **Victims:** Multiple government entities were targeted in the recent campaign involving Google Calendar exploitation.
## Tools & Infrastructure
- **Malware Families Used:** TOUGHPROGRESS.
- **Infrastructure (C2, domains, IPs):** Attacker-controlled Google Calendars were used for C2. Google took action to terminate attacker-controlled Workspace projects and block associated malicious domains and URLs via Google Safe Browsing.
## Implications
APT41 demonstrates persistent innovation by leveraging widely trusted cloud platforms like Google Calendar for highly stealthy C2 communication, making detection significantly harder as their traffic mimics legitimate user activity. Their continued focus on government infrastructure highlights their role in supporting Chinese state intelligence objectives.
## Mitigations
- **Cloud Service Monitoring:** Implement enhanced monitoring and behavioral analysis for legitimate cloud services (like Google Calendar) to detect anomalous activity, such as mass event creation/polling or unexpected data traffic patterns that deviate from established norms.
- **Endpoint Protection:** Update file detections to identify the TOUGHPROGRESS malware payload.
- **Network Defense:** Ensure malicious domains and URLs associated with threat actors are added to blocklists (e.g., Google Safe Browsing or internal DNS sinks).