Chinese Hackers Targeted G7 Summit Through MS Office Flaw

Suspected Chinese APT groups exploited a 17-year-old Microsoft Office vulnerability in May to launch malware attacks against foreign government officials who attended a G7 summit in Hiroshima, Japan.

See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now

Threat actors targeted government officials from France, the United Kingdom, India, Singapore and Australia who attended a session on global food security, where they also discussed issues specific to the Chinese military and economic policies.

Cybersecurity company SentinelOne reported that it had observed Chinese APT groups masquerading as Indonesia’s Ministry of External Affairs and Department of Economic Affairs in emails sent to foreign government officials. The emails contained a malicious rich text format file named “Hiroshima Action Statement for Resilient Global Food Security” to lure the officials into downloading the attachment.

The malicious emails appeared to be genuine. They appeared to have been sent by a government agency and the document’s wording matched that of the action statement released on May 20 by G7 countries.

China on May 20 severely criticized statements issued by G7 nations at the Hiroshima Summit, stating that the G7 group is hindering international peace, undermining regional stability and curbing other countries’ development.

SentinelOne said the APT groups crafted the malicious RTF files to exploit a 17-year-old Microsoft Office memory corruption vulnerability that enables attackers to run arbitrary code in infected devices. Microsoft fixed the vulnerability, tracked as CVE-2017-11882, in 2017, stating that the vulnerability had arisen due to the Microsoft Office software failing to properly handle objects in memory.

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software,” Microsoft said.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Niranjan Jayanand, threat hunting manager for the Asia-Pacific region at SentinelOne WatchTower, told Information Security Media Group the attackers used the RoyalRoad builder tool to craft the RTF file.

He said SentinelOne could not attribute the email-based attacks to a specific APT group but that several Chinese APT groups in 2017 had used RoyalRoad to poison Microsoft Office files to target foreign government officials. When downloaded, the RTF file deployed info-stealer malware that connected to a remote command-and-control server with the IP address 13.236.189.80.

Cybersecurity company Cybereason in 2021 described how a Chinese threat group used the RoyalRoad exploit builder to create malicious RTF files, which were used to target a defense contractor that develops nuclear submarine technology for the Russian Navy.

Threat intelligence firm Group-IB in February said the Tonto Team, a Chinese state-sponsored espionage group, used the RoyalRoad exploit builder – a malware tool “mainly used by Chinese APT groups” – to weaponize a decoy RTF document for a spear-phishing operation targeting its employees (see: Chinese Threat Group Leaks Hacking Secrets in Failed Attack).