Chinese Hackers

[kyonides]

CHINA STOLE COVID DATA

China-sponsored hacker stole COVID data from top US universities, labs: feds

A Chinese national hacked into the computers of major US universities and research labs to steal COVID-19 data as part of a government-sponsored cyberattack during the pandemic, federal prosecutors said Tuesday.

“While the world was reeling from a virus that originated in China, the Chinese government plotted to steal US research critical to vaccine development,” FBI Houston Special Agent in Charge Douglas Williams said in a statement released Tuesday.

Suspect Zewei Xu, 33, infiltrated American research facilities as an agent for China’s Ministry of State Security and the Shanghai State Security Bureau to pilfer the information on the virus and vaccines over nearly two years, prosecutors in the District Attorneys Office in the Southern District of Texas said in the release.
Xu, who was on the run since 2023, was recently nabbed by the FBI and international authorities in Milan, Italy, after getting off a plane from China and is facing extradition to the US, prosecutors said.

“[Xu’s] landmark arrest by FBI Houston agents in Italy proves that we will scour the ends of the Earth to hold criminal foreign adversaries accountable,” Williams said.

According to a newly unsealed indictment, Xu and accused 44-year-old cohort Yu Zhang, who remains on the run, were part of a Chinese-sponsored covert plot to steal US data on COVID-19 research between February 2020 and June 2021.

The pair were part of a coordinated Chinese cyberattack on various US industries that was identified and exposed by Microsoft in 2021 and is publicly known as “Hafnium.”

In early 2020, Xu and his accomplice allegedly targeted universities in Texas and elsewhere, as well as leading immunologists and virologists who were working on COVID vaccines.

On Feb. 19, 2020, he allegedly contacted his Chinese handlers to report that he had compromised the network of one Texas facility. He was told to “access specific email accounts belonging to virologists and immunologists engaged in COVID-19 research,” prosecutors said.

On Feb. 28, 2021, the feds said Xu informed the Shanghai State Security Bureau about his “successful intrusions” into the school’s database and was told to get data on other operations, too.

US NUCLEAR WEAPONS AGENCY + MS SHAREPOINT FLAWS

Microsoft says China-backed cybercriminals hacked into US nuclear weapons agency

Microsoft has warned that Chinese state-sponsored hackers have breached its SharePoint software used by the US agency responsible for maintaining and modernizing the nation’s stockpile of nuclear weapons, according to a report.

The National Nuclear Security Administration, a semi-autonomous agency that operates under the auspices of the Department of Energy, was among the targets of a hack allegedly carried out by Chinese-backed cybercriminals, according to Bloomberg News.

A Dutch cybersecurity company estimates that around 400 government agencies in the US, Mauritius, Jordan, South Africa and the Netherlands were impacted by the hack, according to Bloomberg News.

The Dutch firm, Eye Security, previously estimated that just 60 entities were impacted.

A source familiar with the situation told the financial news site on Tuesday that no sensitive or classified information was known to have been stolen in the hack, which was made possible by exploiting a flaw in Microsoft’s SharePoint document management software.

“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,” an agency spokesman told The Post.

“The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored.”

The breaches have been ongoing since at least July 7, according to Adam Meyers, senior vice president at CrowdStrike, the cybersecurity firm that has partnered with Microsoft to ward off potential cyber threats.

“The early exploitation resembled government-sponsored activity, and then spread more widely to include hacking that ‘looks like China’,” Meyers told Bloomberg News. CrowdStrike’s investigation into the campaign remains ongoing.

Eye Security’s Vaisha Bernard confirmed in an email to The Post that the firm has identified 400 confirmed compromised SharePoint servers worldwide — most of them being in the US, Netherlands, Germany, France, Vietnam, Australia, Canada and the UAE.

According to Bernard, Eye Security cannot confirm an NNSA breach but has seen compromised US government servers.

“We estimate that the real number might be much higher as there can be many more hidden ways to compromise servers that do not leave traces,” Bernard told The Post via email.

The Post has sought comment from Microsoft and CrowdStrike.

In a blog post, the tech giant identified two reputed cybercriminal organizations, Linen Typhoon and Violet Typhoon, in the alleged scheme to exploit flaws in Microsoft’s software that is used by customers on their own networks rather than in the more secure cloud.

These customers are at risk of having their data compromised by the hackers, according to Microsoft, which also fingered a third Chinese-based organization, Storm-2603, as doing the same.

Microsoft SharePoint is a platform used to store, organize, share and manage internal web content across an organization — similar to intranets.

The NNSA wasn’t the only agency that was targeted in the alleged cyberattack.

Among the victims are the US Department of Education, Florida’s Department of Revenue and the Rhode Island General Assembly, which is the Ocean State’s legislative body.

Internationally, governments in Europe and the Middle East have also been targeted. Cybersecurity researchers have detected breaches on more than 100 servers, representing at least 60 victims across various sectors, including energy, consulting and academia.

Microsoft has patched the vulnerabilities in recent days, but the company expressed concern that hackers will continue to exploit these flaws in future attacks.

“We have high confidence that threat actors will continue to integrate them into their attacks,” Microsoft stated in its blog post.

“China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues,” a spokesperson for the Chinese embassy said in a statement.

Cybersecurity experts have expressed grave concerns about the severity of the threat.

Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks Inc., described the situation as a “high-severity, high-urgency threat.”

He emphasized the risks posed by SharePoint’s deep integration with Microsoft’s ecosystem, which includes services like Office, Teams, OneDrive and Outlook — all of which contain valuable data for attackers.

Microsoft probing if Chinese hackers learned SharePoint flaws through alert, Bloomberg News reports

Microsoft (MSFT.O), opens new tab is investigating whether a leak from its early alert system for cybersecurity companies allowed Chinese hackers to exploit flaws in its SharePoint service before they were patched, Bloomberg News reported on Friday.

A security patch Microsoft released this month failed to fully fix a critical flaw in the U.S. tech giant's SharePoint server software, opening the door to a sweeping global cyber espionage effort.

In a blog post on Tuesday, Microsoft said two allegedly Chinese hacking groups, dubbed "Linen Typhoon" and "Violet Typhoon," were exploiting the weaknesses, along with a third, also based in China.

The tech giant is probing if a leak from the Microsoft Active Protections Program (MAPP) led to the widespread exploitation of vulnerabilities in its SharePoint software globally over the past several days, the report said.

Microsoft said in a statement provided to Reuters that the company continually evaluates "the efficacy and security of all of our partner programs and makes the necessary improvements as needed."

A researcher with Vietnamese cybersecurity firm Viettel demonstrated the SharePoint vulnerability in May at the Pwn2Own cybersecurity conference in Berlin. The conference, put on by cybersecurity company Trend Micro's Zero Day Initiative, rewards researchers in the pursuit of ethically disclosing software vulnerabilities.

The researcher, Dinh Ho Anh Khoa, was awarded, opens new tab$100,000 and Microsoft issued an initial patch for the vulnerability in July, but members of the MAPP program were notified of the vulnerabilities on June 24, July 3 and July 7, Dustin Childs, head of threat awareness for the Zero Day Initiative at Trend Micro, told Reuters Friday.

Microsoft first observed exploit attempts on July 7, the company said in the Tuesday blog post.

Childs told Reuters that "the likeliest scenario is that someone in the MAPP program used that information to create the exploits."

It's not clear which vendor was responsible, Childs said, "but since many of the exploit attempts come from China, it seems reasonable to speculate it was a company in that region."

It would not be the first time that a leak from the MAPP program led to a security breach. More than a decade ago, Microsoft accused a Chinese firm, Hangzhou DPTech Technologies Co., Ltd., of breaching its non-disclosure agreement and expelled it from the program.

“We recognize that there is the potential for vulnerability information to be misused,” Microsoft said in a 2012 blog post, around the time that information first leaked from the program. “In order to limit this as much as possible, we have strong non-disclosure agreements (NDA) with our partners. Microsoft takes breaches of its NDAs very seriously.“

Any confirmed leak from MAPP would be a blow to the program, which is meant to give cyber defenders the upper hand against hackers who race to parse Microsoft updates for clues on how to develop malicious software that can be used against still-vulnerable users.

Launched in 2008, MAPP was meant to give trusted security vendors a head start against the hackers, for example, by supplying them with detailed technical information and, in some cases, “proof of concept” software that mimics the operation of genuine malware.