Last week, U.S. cybersecurity firm FireEye published a report on "one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years," identifying its alleged perpetrator "APT41" as "one of the most prolific threats that FireEye currently tracks." From Christopher Glyer, Dan Perez, Sarah Jones, and Steve Miller:
[…] Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.
[…] There is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well.
[…] We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload ‘un’ changed.
[…] This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41. [Source]
FireEye released a detailed report on APT41 last August, describing it as "a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations."
[…] APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.
[…] Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China’s Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.
[…] Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group’s consistent interest in targeting the video game industry for financially motivated reasons. The group’s capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.
APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41. [Source]
In a blog post later in August, the company described coming "toe-to-toe with APT41" following "suspicious activity on a publicly-accessible web server at a U.S.-based research university." In October, FireEye reported the apparent involvement of APT41 and "separate threat groups with suspected Chinese state-sponsored associations" in targeted tapping of text message conversations and phone call metadata from "political leaders, military and intelligence organizations and political movements at odds with the Chinese government." This was achieved by compromising network infrastructure, but "beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance." APT41 has also been linked to an attacker called Winnti Group, which has been accused elsewhere of "highly targeted" invasion of computers at two or more Hong Kong universities late last year amid the city’s long-running anti-extradition turned pro-democracy protests.
Over the past year, U.S. officials have complained that "since the announcement of Made In China 2025, the Department [of Justice] has brought trade secret theft cases in eight of the ten technologies that China is aspiring to dominate," claiming "probably about a thousand plus investigations" ongoing into actual or attempted theft of American IP, "almost all leading back to China." As FireEye alluded in its August report on APT41, such direct theft subsided following an agreement on commercially-motivated hacking between China and the Obama administration in 2015, but was later reported to have revived. The carefully narrow terms of the 2015 agreement somewhat complicate this picture, however.
In the realm of non-commercial espionage, meanwhile, the U.S. Department of Justice brought charges against four Chinese military officers in February for their alleged involvement in the 2017 breach of credit reporting agency Equifax. Reporting on politically driven hacks against Apple iPhone users and Australian political bodies last year suggested that some victims are choosing to keep quiet to avoid antagonizing China.
The attacks attributed to APT41 are just part of a spike in reported activity by both Chinese-sponsored and other government-linked and criminal hacking groups around the world amid the ongoing pandemic, which has prompted a coordinated response from the security community. Other recent incidents include attacks on the World Health Organization, including some tentatively linked to "Dark Hotel," an entity suspected to be linked with the South Korean government with "a long history of hacking North Korean and Chinese victims, with a focus on espionage." NBC’s Kevin Collier reported earlier this month on the prolific use of outbreak-related information as bait in phishing attacks.
“We’ve seen Russia use it against Ukraine, China use it against Southeast Asia, North Korea against South Korea,” said Ben Read, the senior manager for cyberespionage analysis at the cybersecurity firm FireEye.
FireEye analyzed emails from Chinese hackers to Vietnamese targets, and in one purporting to be reassurances from Vietnamese Prime Minister Nguyen Xuan Phuc that the government was doing everything in its power to contain the spread of the virus FireEye found malware that would compromise the computer of any user who downloaded it.
“These lures have really authentic branding, like they pretend to be from the CDC or the WHO or other really credible groups, and then target people based on ‘this seems like a really interesting thing offering me more information in a time that has so much information,’” said Lindsay Kaye, who also researched coronavirus phishing emails for the cybersecurity company Recorded Future.
[…] “The story started in Asia, and has kind of migrated, so the threat actors are following the virus,” said Adam Meyers, CrowdStrike’s vice president of intelligence. “They go from China to surrounding areas around China, they start targeting Japan, they start targeting South Korea, they start targeting Europe.” [Source]
More from Patrick Howell O’Neill at MIT Technology Review:
Two hacking groups aligned with the Chinese government targeted Vietnam, the Philippines, Taiwan, and Mongolia, the cybersecurity firms FireEye and Check Point reported today. The hackers are sending email attachments with genuine health information about coronavirus but laced with malware such as Sogu and Cobalt Strike, according to Ben Read, a senior intelligence analyst at FireEye.
[…] “You expect to get information from government sources, so it’s most likely that you will open and execute documents to see what it says,” said Lotem Finkelstein, head of threat intelligence at Check Point. “It makes it very useful to trigger an attack. The coronavirus outbreak serves threat actors very well, especially those that rely on phishing attacks to ignite attacks.”
[…] In addition to ongoing activity by government-sponsored hackers, cybercriminals are taking advantage of the chaos of current events. Hackers have previously used anxiety surrounding Ebola, Zika, and SARS to make money.
[…] “Attackers are also subverting internal businesses’ credibility in their attacks,” researchers from the cyber firm Proofpoint wrote. “We have seen a campaign that uses a Coronavirus-themed email that is designed to look like an internal email from the company’s president to all employees … This email is extremely well-crafted and lists the business’ president’s correct name.” [Source]
The Washington Post examined the explosion in online scams on Thursday. Security issues such as phishing have become all the more pressing as information workers move en masse toward online remote work, putting many at greater risk than they might be on closely guarded corporate networks. This week, product recommendation site The Wirecutter published its first guide to "The Best Security Key for Multi-Factor Authentication," which offer "the strongest protection against phishing attacks" for accounts with platforms like Google, Facebook, and Twitter. Google’s own Titan security keys, whose Chinese manufacturing has provoked some suspicion, were not The Wirecutter’s top choice, for unrelated reasons. For more on security keys and how to use them, see user guides at TechSolidarity.org.