NCD Cyber Threat Intelligence: Gelsemium APT Group

A China-linked, cyber threat to Japanese companies

Gelsemium, a Chinese-linked Advanced Persistent Threat (APT) group active since 2014, poses a significant cyber threat to organizations in East Asia, including Japan. This group conducts sophisticated cyberespionage campaigns, leveraging custom malware to infiltrate and exfiltrate sensitive data. Japanese companies, given their technological and industrial prominence, are prime targets.

The Gelsemium Playbook

Gelsemium is espionage-focused and leverages custom malware such as WolfsBane, a Linux-based tool, and FireWood, which is linked to the older Project Wood backdoor. These tools are designed to steal sensitive information, exploit web vulnerabilities, and evade detection using advanced techniques like rootkits. Their emphasis on Linux systems demonstrates their adaptability and ability to exploit emerging vulnerabilities. Gelsemium’s activities pose significant risks, including intellectual property theft, operational disruptions, and reputational damage. Their multi-stage attacks typically begin by targeting publicly accessible servers, then spread laterally within networks to compromise critical systems.

Gelsemium is potentially connected to the Blackwood APT group, based on the correlation between the FireWood Backdoor and Project Wood. Blackwood, active since at least 2018, has conducted cyberespionage operations targeting individuals and organizations in China, Japan, and the United Kingdom. Known for using AiTM (Adversary-in-the-Middle) attacks, Blackwood intercepts network communications to steal credentials, forge encryption keys, and facilitate further attacks. These techniques have been used to deploy the NSPX30 implant by exploiting update mechanisms of software such as Tencent QQ, WPS Office, and Sogou Pinyin. Given Blackwood’s history of targeting Japan, the Gelsemium APT group may continue to pose a significant threat to the region.

Threat Actor Attribution Chart

Here are some proactive steps to defend against Gelsemium:

Secure Linux Systems: Regularly patch vulnerabilities, strengthen authentication, and deploy Linux-specific intrusion detection systems.
Enhance Web Security: Identify and fix vulnerabilities, enforce secure coding practices, and use Web Application Firewalls (WAF).
Implement Advanced Endpoint Security: Deploy Endpoint Detection and Response (EDR) tools and monitor server environments.
Educate Employees: Train staff to recognize phishing and social engineering tactics.

The Gelsemium threat underscores the need for robust cyber security measures. These risks are manageable with the right defences. By investing in proactive strategies, organizations can safeguard their assets and maintain their competitive edge in an increasingly hostile digital landscape.

Nihon Cyber Defence provides localized, industry-specific solutions to protect against threats like Gelsemium. Partner with NCD for expert guidance to fortify defences against even the most advanced cyber threats.

Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.