Fox-IT, a Netherland-based security company, has recently issued a report on the Mofang group – said to be a closed group with very specific, seldom-used attack tools. Thus far, diverse Mofang attacks have not been observed simultaneously. The first Mofang attacks occurred in 2012, targeting different government institutions in the USA, Singapore, and Myanmar. These attacks also targeted security-related organizations and companies in Canada, Korea, and India. Two German companies were also attacked, with recent newspaper reports naming Rheinmetall as one of the German victims. Since early 2015, however, organizations in Myanmar have been the only victims.
Fox-IT describes Mofang as a Chinese organization, based on evidence including terms used in the code, and technical similarities to other campaigns from China. These factors could, however, be purposefully implemented to disguise the true origin of the attacks. Therefore, the more convincing argument for Mofang being a Chinese organization lies in the similarity of objectives of the campaigns. They have all been very much in line with the geopolitical interests of the PRC. This is particularly clear for the Myanmar attacks, described in detail in the Fox-IT report.
Especially interesting is the fact that the Mofang attackers have never used exploits for the initial infection of target systems. Instead, they relied heavily on social engineering as a way to enter the systems. The main compromise has always been an email inviting targets to open attached files. As such, the report on the Mofang group highlights the crucial importance of the human factor in cybersecurity. Measures such as cybersecurity culture-building, or employee training and monitoring have to play a major role in all cybersecurity strategies.