Executive Summary
Since at least 2020, a Chinese-speaking threat actor identified as CL-UNK-1068 has been conducting cyber-espionage campaigns targeting critical infrastructure sectors across South, Southeast, and East Asia. The sectors affected include aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications. The attackers exploit vulnerabilities in public-facing web servers to gain initial access, deploying web shells like GodZilla and AntSword to maintain control. They employ tools such as Mimikatz and LsaRecorder for credential theft, and utilize custom malware alongside open-source utilities to facilitate lateral movement and data exfiltration. (darkreading.com)This incident underscores the persistent and evolving nature of cyber threats from state-sponsored actors, particularly those linked to China. The use of sophisticated tools and techniques highlights the need for organizations to enhance their cybersecurity measures to detect and mitigate such threats effectively. (darkreading.com)
Why This Matters Now
The ongoing activities of CL-UNK-1068 highlight the increasing sophistication and persistence of state-sponsored cyber-espionage campaigns targeting critical infrastructure. Organizations must remain vigilant and proactive in implementing robust security measures to protect sensitive data and maintain operational integrity. (darkreading.com)
Attack Path Analysis
The adversary exploited vulnerabilities in public-facing web servers to deploy web shells, gaining initial access. They escalated privileges by deploying credential-dumping tools like Mimikatz to harvest sensitive credentials. Utilizing these credentials, they moved laterally across the network, accessing additional systems and databases. For command and control, they employed tools like Fast Reverse Proxy (FRP) to maintain persistent access and evade detection. Sensitive data was exfiltrated using encrypted channels to external servers. The impact included unauthorized access to critical infrastructure, potential data breaches, and prolonged espionage activities.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited vulnerabilities in public-facing web servers to deploy web shells, such as GodZilla and AntSword, gaining initial access to the network.
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Server Software Component: Web Shell
Valid Accounts: Local Accounts
Command and Scripting Interpreter: PowerShell
Hijack Execution Flow: DLL Side-Loading
OS Credential Dumping: LSASS Memory
Network Service Discovery
Non-Standard Port
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical infrastructure targeted by Chinese APT using web shells, credential theft, and encrypted traffic interception for espionage operations spanning multiple years.
Airlines/Aviation
Aviation sector specifically targeted by CL-UNK-1068 threat actor using cross-platform malware, lateral movement techniques, and data exfiltration for intelligence gathering.
Oil/Energy/Solar/Greentech
Energy infrastructure compromised through web server exploitation, credential dumping tools like Mimikatz, and persistent backdoors enabling long-term espionage access.
Government Administration
Government entities face sustained cyber-espionage campaigns leveraging living-off-the-land binaries, zero trust segmentation bypass, and sensitive data exfiltration capabilities.
Sources
- Chinese Cyber Threat Lurks In Critical Asian Sectors for Yearshttps://www.darkreading.com/threat-intelligence/chinese-cyber-threat-critical-asian-sectorsVerified
- An Investigation Into Years of Undetected Operations Targeting High-Value Sectorshttps://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/Verified
- Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructurehttps://thehackernews.com/2026/03/web-server-exploits-and-mimikatz-used.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely reduce the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in public-facing web servers may have been constrained, reducing the likelihood of initial access through such methods.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained, reducing the scope of access gained through harvested credentials.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally across the network may have been constrained, reducing the reachability to additional systems and databases.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been constrained, reducing the persistence and evasion capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing the volume and scope of data loss.
The overall impact of unauthorized access and data breaches may have been constrained, reducing the severity and scope of the incident.
Impact at a Glance
Affected Business Functions
- Flight Operations
- Energy Distribution
- Government Services
- Telecommunications Networks
Estimated downtime: 7 days
Estimated loss: $5,000,000
Sensitive operational data, including credentials and configuration files, potentially leading to unauthorized access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access controls.
- • Deploy East-West Traffic Security measures to monitor and control internal network communications, detecting unauthorized movements.
- • Utilize Egress Security & Policy Enforcement to filter and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch public-facing web servers to mitigate known vulnerabilities and reduce the risk of initial compromise.
