Earth Lusca: China-Linked Espionage Group Targets Taiwan, Exploits Geopolitical Tensions

Nation-state backed cyberattacks are a growing concern in an interconnected world. Earth Lusca, a threat group with ties to China, has proven itself a cunning player in this high-stakes arena. Recently uncovered by Trend Micro, Earth Lusca’s latest campaign reveals the evolving tactics employed by these state-sponsored actors, and exposes their continued interest in Taiwan as a primary target.

Luring Targets with Political Themes

Trend Micro’s vigilant monitoring recently unveiled Earth Lusca’s latest gambit—a cunning campaign exploiting the delicate Chinese-Taiwanese relations. With high confidence, Trend Micro attributes this insidious operation to Earth Lusca, drawing upon the intricate web of tools, techniques, and procedures (TTPs) familiar to the group’s dark artistry. Between December 2023 and January 2024, the campaign unfurled, deploying a document laced with geopolitical discourse as bait—a document believed to be purloined from a Taiwanese geopolitical expert, strategically released in the tempestuous run-up to the Taiwanese national elections.

A startling revelation linked Earth Lusca to a Chinese entity known as I-Soon, unmasked through a breach of private documents. This leak not only illuminated the nefarious activities of Earth Lusca but also hinted at a deep-seated connection with I-Soon, blurring the lines between these shadowy entities and suggesting a collusion rooted in cyber fraud.

A Complex Infection Chain

The attack itself is a multi-stage operation:

  1. Hidden Payload: Victims receive seemingly innocuous Microsoft Word, PowerPoint, or PDF documents within an archive. However, this archive holds a malicious stowaway – disguised JavaScript code.
  2. JavaScript Trickery: The JavaScript drops a text file containing another hidden layer, a cabinet archive. It then uses built-in Windows tools to unpack the archive, revealing the payload.
  3. Stolen Legitimacy: Earth Lusca hijacks a legitimate executable with a compelling name, ‘360se.exe’, from the Chinese security company Qihoo 360. This seemingly harmless file loads a malicious DLL.
  4. Cobalt Strike Strikes Again: The final payload is a stageless Cobalt Strike implant. This favored tool of many attackers grants Earth Lusca extensive remote control capabilities.

The I-Soon Connection

The recent leak of data on I-Soon, a Chinese company specializing in cybersecurity, has shed further light on the shadowy world of state-aligned threat actors. Trend Micro’s analysis highlights unsettling parallels between Earth Lusca and I-Soon. Shared victims, identical malware choices, and even close geographic proximity point to a potential connection, perhaps even outright collaboration. This raises concerns about the blurring lines between legitimate security companies and state-sponsored hacking operations.

Who’s at Risk?

Government agencies think tanks, policy experts, and any individuals shaping the political climate of Taiwan are likely the primary targets of Earth Lusca. However, the potential fallout from geopolitical espionage extends far beyond a single nation. Access to sensitive documents and insider knowledge can influence trade deals, diplomatic relationships, and even defense strategies – with global repercussions.

Defend Against Espionage

Earth Lusca’s campaign underscores the dangers of state-backed cyberattacks. Organizations and individuals alike must prioritize the following:

  • Security Awareness: Skepticism about email or website links is vital. Social engineering tactics are growing increasingly convincing.
  • System Updates: Patching vulnerabilities quickly deprives attackers of easy entry points.
  • Security Best Practices: Strong security solutions and training remain crucial lines of defense.

The threat posed by groups like Earth Lusca is genuine. Staying informed and maintaining robust security protocols are the keys to safeguarding sensitive information and operations.