Chinese Hacking Group, Quiet for Years, Resumes Global Attacks

(Bloomberg) -- A Chinese government-linked hacking group that was thought to be dormant has been quietly targeting companies and government agencies for the last two years, harvesting data after stealing passwords and circumventing two-factor authentication intended to prevent such attacks, according to researchers.

Fox-IT, a security company based in the Netherlands, said in a report published Thursday that the group’s attacks have extended to 10 countries, including the U.S., the U.K., France, Germany and Italy.

The Chinese hackers carried out a global espionage campaign that targeted industries including aviation, construction, finance, health care, insurance, gambling and energy, the firm said.

The hackers likely belong to a group known as APT20, according to the researchers, who said they had “high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government.”

Between 2009 and 2014, APT20--which is also known as Violin Panda and th3bug -- was associated with hacking campaigns that targeted universities, military, health care and telecommunications companies. The group went quiet for a number of years but has recently made a resurgence, according to Fox-IT.

Digital Trail

“A lot of people thought that this group disappeared, or no longer existed,” said Frank Groenewegen, chief security expert at Fox-IT. “But what we found is that this group has been operating internationally again and hacking lots of companies.”

A representative for the Chinese government didn’t return a message seeking comment.

Fox-IT discovered the group’s hacking spree in the summer of 2018, while carrying out an analysis of computer systems that had been compromised, Groenewegen said. From the initial discovery, Fox-IT’s researchers were able to follow a digital trail that helped them uncover dozens of similar attacks that appear to have been perpetrated by the same group. Attacks were also carried out in Brazil, Mexico, Portugal and Spain, according to Fox-IT.

There was also at least one target within China, a semiconductor company, according to Groenewegen, who declined to name the companies and organizations that were attacked. Fox-IT is working with some of them to clean up their systems, he said, and has notified the others.

The hackers would usually gain entry to an organization’s systems by exploiting a vulnerability on web servers that the company or government agency operated. They would then penetrate further to identify people -- usually system administrators -- with privileged access to the most sensitive parts of the computer network, according to Fox-IT’s report.

Free Rein

The hackers would place keylogger software on system administrators’ computers, which record keystrokes and can reveal passwords. The group was also able in at least one case to compromise a RSA SecurID two-factor authentication system, replicating its codes, which are designed to thwart hackers by providing an extra layer of security in addition to a password, according to Fox-IT.

RSA Security didn’t respond to a message seeking comment.

The hackers were effective at covering up their tracks, according to Fox-IT. They would routinely delete the tools they used to steal data from infected computers. But occasionally they slipped up. Fox-IT placed monitoring technology within one victim’s network and was able to gather data showing that the hackers were using a web browser that had its language set to Chinese.

With the help of a law enforcement agency, Fox-IT traced the hackers’ activities to a web server the group had purchased as a staging point for their attacks. The hackers had paid in Bitcoin and given fake details, a British phone number and American address in Lafayette, Louisiana. But they had typed part of the address in simplified Chinese.

There was also the issue of time. Fox-IT’s security experts were kept up all night by the hackers, who became active about 3 a.m. in the Netherlands and continued for eight to 10 hours. That suggests they were operating in China’s time zone, which is seven hours ahead of the Netherlands.

Perhaps the most striking indicator came after the hackers found out they had been caught. Fox-IT moved to shut them out of a compromised network and watched as the group typed in a series of commands to try and regain access to the computers.

When it became clear that they had been locked out, one of the hackers, apparently frustrated, bashed out the word “wocao” on his keyboard. That’s Chinese slang for an obscenity, according to Fox-IT.

To contact the reporter on this story: Ryan Gallagher in Edinburgh at rgallagher76@bloomberg.net

To contact the editor responsible for this story: Andrew Martin at amartin146@bloomberg.net

©2019 Bloomberg L.P.