Chinese Hacking Group Resumes Global Attacks

A group of individuals belonging to a Chinese government-linked hacking group has resumed hacking activities. According to researchers, the group which was thought to be dormant has been quietly targeting companies and government agencies for the last two years, harvesting data after stealing passwords and circumventing two-factor authentication intended to prevent such attacks.

A security company based in the Netherlands, Fox-IT said in a report published Thursday Dec. 19, that the group’s attacks have extended to 10 countries, including the United States, the United Kingdom, France, Germany and Italy. These Chinese hackers carried out a global campaign that targeted industries including aviation, construction, finance, health care, insurance, gambling and energy.

According to the researchers, the hackers likely belong to a group known as APT20 and strongly believe  that the actor is a Chinese group and that there is a possibility they are likely working to support the interests of the Chinese government.”

From 2009 to 2014, APT20 (which is also known as Violin Panda and th3bug) was associated with hacking campaigns that targeted universities, military, health care and telecommunications companies. The group went quiet for a number of years but has recently made a resurgence, according to Fox-IT.

Frank Groenewegen, chief security expert at Fox-IT said, "A lot of people thought that this group disappeared, or no longer existed. But what we found is that this group has been operating internationally again and hacking lots of companies.”

Groenewegen said Fox-IT discovered the group’s hacking spree in the summer of 2018, while carrying out an analysis of computer systems that had been compromised. From the initial discovery, Fox-IT’s researchers were able to follow a digital trail that helped them uncover dozens of similar attacks that appear to have been perpetuated by the same group. Attacks were also carried out in Brazil, Mexico, Portugal and Spain. He also said at least a target existed in China (a semiconductor company).

Fox-IT's report said the hackers usually gained entry to an organization’s systems by exploiting  vulnerabilities on web servers that these companies or government agencies operated, then penetrate further to identify people  usually system administrators with privileged access to the most sensitive parts of the computer network. The hackers would then place key-logger software on system administrators’ computers, which record keystrokes and can reveal passwords.

The hackers were effective at covering up their tracks, according to Fox-IT. They would routinely delete the tools they used to steal data from infected computers. But occasionally they slipped up. Fox-IT placed monitoring technology within one victim’s network and was able to gather data showing that the hackers were using a web browser that had its language set to Chinese.

Fox-IT with combined effort of a law enforcement agency, traced the hackers’ activities to a web server the group had purchased as a staging point for their attacks. The hackers made the purchase using Bitcoin and gave fake details which included a British phone number and American address in Lafayette, Louisiana. They, however, had typed part of the address in simplified Chinese.

Another evidence gathered was the time difference. Fox-IT’s security experts were at a time kept up all night by the hackers, who became active about 3 a.m. in the Netherlands and continued for eight to 10 hours. Suggesting they were operating in China’s time zone. China is 7 hours ahead of the Netherlands.

A striking indicator was after they were locked out from a comprised system and they realized they had been locked out, one of the frustrated hackers, bashed out the word “wocao” on his keyboard; which according to Fox-IT is a Chinese slang for obscenity.