Microsoft Says China-Linked Hackers Abused Azure in Attacks

Microsoft Reports Evolution of China-Linked Threat Actor GADOLINIUM


Microsoft this week announced that it recently removed 18 Azure Active Directory applications that were being abused by China-linked state-sponsored threat actor GADOLINIUM.


Also known as APT40, TEMP.Periscope, TEMP.Jumper, Leviathan, BRONZE MOHAWK, and Kryptonite Panda, the adversary has been active since at least 2013, mainly operating in support of China’s naval modernization efforts, through targeting various engineering and maritime entities, including a U.K.-based company.


The threat actor was recently observed leveraging Azure cloud services and open source tools in attacks employing spear-phishing emails with malicious attachments.


“As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure,” the tech company says.


According to Microsoft, GADOLINIUM has expanded its target list to include the Asia-Pacific region, as well as other targets in higher education and regional government organizations. Previously employing custom malware, the threat actor has added open-source tools to their toolset over the past year, making tracking more difficult.


The group has been experimenting with the use of cloud services for years, starting with a Microsoft TechNet profile in 2016. In 2018, the hackers abused GitHub to host commands, and 2019 and 2020 attacks employed similar techniques.


Over the past year, similar to other state-sponsored threat groups, GADOLINIUM has included open-source tools in its portfolio, which also results in lower overall costs for the attackers, in addition to making ..