Insikt Group, a division of Recorded Future, has unveiled a multi-year cyber-espionage offensive termed TAG-74, linked to Chinese government-backed hackers. This campaign mainly targets South Korean academic, political, and governmental sectors.

Sources tie TAG-74 to the Chinese military intelligence, making it a critical threat not only to South Korea but also to Japan and Russia. The targeting of South Korean educational sectors is in line with China’s overarching aims of intellectual property theft and strengthening its footprint in global higher education.

China’s interest in gathering Intel from South Korea likely stems from their geographical closeness and South Korea’s pivotal role in the ongoing China-US regional rivalry in the Indo-Pacific. Recent strains have become evident, with China voicing worries about South Korea’s deepening ties with the US, especially regarding Taiwan and their mutual efforts with Japan to counteract China.

TAG-74 is a seasoned Chinese-backed espionage group, expert in spying on South Korean, Japanese, and Russian entities. Their modus operandi features .chm files leading to a DLL hijacking sequence that triggers a modified VBScript backdoor called ReVBShell. To augment their intrusions after accessing via ReVBShell, they deploy another unique backdoor, Bisonal. Interestingly, this ReVBShell variation seems to be exchanged between TAG-74 and another affiliated group, Tick Group, suggesting potential cooperation.

TAG-74’s intelligence operations, using counterfeit domains and fabricated documents, are projected to escalate as China gathers insights for its diplomatic and trade talks with South Korea.

Given TAG-74’s continued focus on South Korean targets and its possible coordination with the Northern Theater Command, it’s evident that they’ll persist in their espionage endeavors in South Korea, Japan, and Russia. It’s worth noting the use of .chm files by Chinese state-endorsed hackers is not very widespread, save for in South Korea. This method, however, has been spotted in TAG-74’s operations and in tactics linked to North Korean-backed groups like Kimsuky and APT37.

Therefore, businesses should keep an eye out for .chm files, especially if unfamiliar in their systems, considering their rising popularity among hackers recently.

I would love to see a show of hands from folks who believe we are simply overwhelmed with new threats on a daily basis, and in order to prevail in this war, we will have to change our fundamental organizing principles so that we more closely resemble the Israeli IDF cyber-warriors ala a national cyber-defense military.