A Chinese-state-aligned hacking group has been ramping up its targeting of diplomatic entities in Europe as the war in Ukraine has intensified, cybersecurity researchers reveal.

Using malicious email campaigns to deliver malware, a hacker known as TA416 (AKA Red Delta) who is aligned with the Chinese state has been targeting Europe for several years.

Proofpoint researchers have been piecing the activity together, and have revealed a team has been tracking the hacker since 2020.

The cyber security company says the tempo of the attacks has increased sharply since Russian troops began approaching the Ukraine border on 24 February this year.

Most recently, TA416 began using a compromised email address of a diplomat from a European NATO country to target a different country’s diplomatic offices. The targeted individual worked in refugee and migrant services.

Campaigns used by the hacker have centred on web bugs to profile targets before dropping malware. These indicate to the attacker that the targeted account is valid with the victim being inclined to open emails that utilise social engineering content. This suggests more discerning targeting from TA416 and could even be an attempt to avoid having their malicious tools discovered and publicly disclosed, according to Proofpoint.

The targeted campaigns include malicious links and decoy documents related to the border movements of Ukrainian refugees, with the aim of delivering a malware called PlugX to victims. PlugX is a Remote Access Trojan (RAT) which when installed, can be used to fully control the victim’s machine.

Proofpoint researchers identified web bug reconnaissance campaigns targeting European diplomatic entities in early November 2021.

The emails first originated from a spoofed sender that impersonated a Meetings Services Assistant at the United Nations General Assembly Secretariat.

The hacker achieved this impersonation by using a legitimate email marketing service that allows users to alter the envelope sender field while using a unique sender address generated by the service.

TA416’s campaigns have utilised web bugs to profile their targets before dropping the malware.

These indicate to the attacker that the targeted account is valid with the victim being inclined to open emails. More discerning targeting from TA416 and may be an attempt to avoid having their malicious tools discovered and publicly disclosed.

Proofpoint researchers commented: “The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt.”

They reveal the team has continued to identify web reconnaissance campaigns a month later, which used a rudimentary style of encoding and resource names.

This was done with a web bug URL which includes infrastructure that uses a benign image file, several designations about the email campaign, and unique designations for each individual user targeted in the email campaign.

This allows the threat actor to validate which recipients received and opened the phishing email.

“In 2022, the group started to first profile users and then deliver malware URLs. This may be an attempt by TA416 to avoid having their malicious tools discovered and publicly disclosed.

“By narrowing the lens of targeting from broad phishing campaigns to focus on targets that have proven to be active and willing to open emails, TA416 increases its chance of success when following up with malicious malware payloads.”

According to Harvard Business Review, Ukraine is an appealing target for testing cyberwar capabilities.

The country has similar infrastructure found in Western Europe and North America, but has far limited resources to counter-attack.

And while Russia is an obvious suspect, Proofpoint says it’s possible that other countries, such as Iran, North Korea or China have been testing their own cyber weaponry on Ukraine too.