Chinese cyber spies “compromising” diplomatic targets in South America, warns Microsoft


A China-based cyber threat actor tracked as DEV-0147 was observed spying on South American diplomatic targets by Microsoft Security Intelligence in a “notable” expansion of the group’s operations from Asia and Europe.

DEV-0147’s attacks in South America included “post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement,” Microsoft’s security experts said in a Twitter thread, as well as “the use of Cobalt Strike for command and control and data exfiltration.”

The group could be identified by the use of tools like ShadowPad, a remote access trojan, Microsoft said. Other China-based actors also use the tool to maintain persistent access, it noted. QuasarLoader, a webpack loader, was used to deploy additional malware.

ADVERTISEMENT

Microsoft 365 Defender, a threat protection software, detected DEV-0147’s attacks through Microsoft Defender for Identity and Defender for Endpoint, the company’s security intelligence said.

The “compromising” of diplomatic targets in South America was “a notable expansion of the group’s data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe,” Microsoft said.

It comes as Latin America is getting increasingly caught up in a great power rivalry between China and the US. A suspected spy balloon – similar to those shot down in the US and Canada – was also detected flying over Central and South America earlier this month.

Beijing acknowledged the balloon’s ownership last week but denied it was used for spying. The Pentagon said it was part of China’s fleet of surveillance balloons also spotted in Asia and Europe.