Chinese Hackers Breach ISP to Infect Software Updates with Malware

A Chinese hacking group known as StormBamboo has infiltrated an unnamed internet service provider (ISP) to corrupt automatic software updates with malware. Also referred to as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting entities in China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.

On Friday, Volexity threat researchers disclosed that the group exploited insecure HTTP software update mechanisms, which lacked digital signature validation, to deploy malware on Windows and macOS devices. The attackers intercepted and altered victims' DNS requests, redirecting them to malicious IP addresses. This allowed the malware to be delivered from StormBamboo's command-and-control servers without user interaction.

Volexity's blog post noted that StormBamboo targeted multiple software vendors using insecure update processes. The researchers notified the ISP, which then investigated key traffic-routing devices on their network. Once the ISP rebooted and took certain network components offline, the DNS poisoning ceased.

According to BleepingComputer, after compromising the target systems, the hackers installed a malicious Google Chrome extension called ReloadText, enabling them to steal browser cookies and email data.