One was through a vulnerable company who is providing services for these agencies, and the other was through an email spear-phishing with a malicious attachment – a weaponized document using CVE-2017-11882. We presume that the main aim of cyber-espionage was the exfiltration of sensitive data from potentially interesting government agencies.Īccording to our local telemetries, we consider that the government institutions were attacked in two ways.
The APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised network such as scanning of the local network and dumping credentials. We consider with moderate confidence based on our research that the chinese-speaking APT group LuckyMouse is behind the attack. This summer, Avast discovered a new APT campaign targeting government agencies and a National Data Center of Mongolia.