Chinese Hackers

[kyonides]

Chinese APT40 Attacked Taiwanese Government Agencies

https://www.cyberscoop.com/taiwan-china-hacking-apt40/
They had attacked 10 agencies and 6,000 email accounts of officials in an escalation of Beijing’s long-running espionage on the island, says CyberScoop.

Over the course of two years, Chinese hackers have infiltrated a variety of Taiwanese government offices in an effort to steal sensitive documents

Let's take a look at their targets.

The Taiwanese semiconductor industry, a centerpiece of the global supply chain for smartphones, has also come under sustained assault from hackers that appear to be based in China, private researchers said earlier this month.

Taiwanese authorities also feel they need to keep an eye on Hong Kongers that have been arriving as of late since China passed its law criminalizing protests.

Here's how they did it. Hackers exploited VPN software, some sort of secure tunnel to a private network, to break into networks, and then smuggled the stolen data out using their own encrypted connections. Part of their malware is called Taidoor and US authorities had denounced Chinese hackers have been using it for over 12 years.

Security firm Firefly stated they have been active in multiple Southeast Asian countries in support of China’s “Belt and Road” infrastructure development strategy. Just in case you don't recall what that term means, we're talking about the modern Silk Road here.

CyberScoop also revealed that the American Institute in Taiwan is helping them find ways to detect their network flaws.

[kyonides]

Chinese Hackers attacked Coronavirus Research

Back in July media alerted you about how China was hacking institutions related to studying the coronavirus and how to produce a working vaccine. They weren't providing many details back then besides the fact some of the facilities were located in Massachusetts and Maryland if talking about the US only.

The following news article actually tells you the NAME of that company that the Chinese tried to vulnerate to steal or alter its data.

China-backed hackers targeted

COVID-19 vaccine firm Moderna

https://www.reuters.com/article/us-healt...SKCN24V38M
What you might still ignore is that Moderna is located in Cambridge, Massachusetts!

The indictment said the Chinese hackers “conducted reconnaissance” against the computer network of a Massachusetts biotech firm known to be working on a coronavirus vaccine in January.
Moderna, which is based in Massachusetts and announced its COVID-19 vaccine candidate in January, confirmed to Reuters that the company had been in contact with the FBI and was made aware of the suspected “information reconnaissance activities” by the hacking group mentioned in last week’s indictment.
The July 7 indictment alleges that the two Chinese hackers, identified as Li Xiaoyu and Dong Jiazhi, conducted a decade-long hacking spree that most recently included the targeting of COVID-19 medical research groups.

And you can take for granted that those Chinese hackers are persistent indeed.

By the way, they also add another state to the list, namely California.  

The court filing describes the California firm as working on antiviral drug research and suggested the Maryland company had publicly announced efforts to develop a vaccine in January. Two companies that could match those descriptions: Gilead Sciences Inc and Novavax Inc.

[kyonides]

US charges 5 Chinese citizens in global hacking campaign

https://apnews.com/abe63876eedc5a95c90a37ca88024809

The Justice Department has charged five Chinese citizens with hacks targeting more than 100 companies and institutions in the United States and abroad, including social media and video game companies as well as universities and telecommunications providers, officials said Wednesday.

The five defendants remain fugitives, but prosecutors say two Malaysian businessmen charged with conspiring with the alleged hackers to profit off the attacks on the billion-dollar video game industry were arrested in Malaysia this week and now face extradition proceedings.

In unsealing three related indictments, officials laid out a wide-ranging hacking scheme targeting a variety of business sectors and academia and carried out by a China-based group known as APT41. That group has been tracked over the last year by the cybersecurity firm Mandiant Threat Intelligence, which described the hackers as prolific and successful at blending criminal and espionage operations.
The hackers relied on a series of tactics, including attacks in which they managed to compromise the networks of software providers, modify the code and conduct further attacks on the companies’ customers.

The Justice Department did not directly link the hackers to the Chinese government. But officials said the hackers were probably serving as proxies for Beijing because some of the targets, including pro-democracy activists and students at a Taiwan university, were in line with government interests and didn’t appear to be about scoring a profit.

Well, one thing was to see some Chinese hackers to publish a fake game that would allow them to steal data from users but another one is to steal actual videogames! Well, their digital currency at least, the very same money they sold on the black market later on.

By the way, one of the suspects admitted he had a connection with the Chinese Ministry of State Security.

[kyonides]

Microsoft says it nixed China-linked hackers' apps from Azure cloud

https://www.cyberscoop.com/microsoft-apt...ium-azure/
I gotta admit I'm usually against MS for the way they make business or offer defective products, like the winspooler service for instance, but this time I'd have to state they took a wise decision.
Curiously MS also made a serious mistake by not declaring China was behind the attacks. Especially after other organizations have already linked APT40 to China.

The hacking group — labeled Gadolinium by Microsoft and also known as APT40 — was hosting apps on the Azure Active Directory and using open source tools “to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection,” the researchers said in a report published Thursday.

APT40 has been linked to China’s government, and recent targets have reportedly included organizations in Taiwan and Malaysia. The typical goal is data exfiltration for espionage, according to researchers at FireEye, Kaspersky and other security companies. Microsoft’s report does not mention China by name, but notes that the hacking group has previously focused on the maritime and health industries.

“Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings,” according to researchers Ben Koehl and Joe Hannon. “By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.”

Once again we get confirmation of an APT expanding its targets. It's not just the Trump administration, Microsoft is denouncing them as well. The cyber criminals are going after higher education and regional government organizations.

[kyonides]

Facebook + $4 millions + China

https://www.cyberscoop.com/facebook-sile...-millions/

Hackers defrauded Facebook users out of more than $4 million in a scheme that security staffers have connected to a cybercrime network in China.
The alleged China-based scammers, who first surfaced in 2016, have also abused the Twitter and Amazon platforms. They have repeatedly updated their code, explored new hacking tools and used geolocation to try to make their Facebook logins appear legitimate.

And you still think you can trust the CCP? What a wise decision...

The Details

Attackers breached hundreds of thousands of Facebook accounts, scouring for users with payment methods attached to their profile, such as PayPal. The attackers would disable users’ notifications, and abuse their access to the victim account to place advertisements for diet pills and counterfeit products.

Facebook sued two Chinese guys and a company based in Hong Kong back in 2018 after their internal investigations had ended.

[kyonides]

UEFI and Chinese Operatives

https://www.cyberscoop.com/kaspersky-uef...nts-china/

The crucial computing code that manages that booting process, known as UEFI firmware, represents a valuable target for hackers, though also one that remains difficult to infiltrate.
Researchers from security company Kaspersky on Monday revealed what they described as the second case of malicious UEFI firmware found in use in the wild. Security specialists found UEFI implants that appeared to be part of a larger hacking operation carried out by Chinese-speaking operatives against diplomatic organizations and non-governmental organizations in Africa, Asia and Europe.

These events took place from 2017 to 2019, in an attempt to gather information on North Korea or the targets working there like two diplomatics.
According to Kaspersky, parts of the code are based on the Italian HackingTeam's UEFI hacking tool.
Experts think UEFI implants might become even more common every day that passes.

Front Companies as Disguise for State Sponsored Hackers

https://www.cyberscoop.com/chinese-irani...companies/
Some time ago we reported the indictment of several Chinese and Malaysian citizens. Now authorities released more information pertaining their actual affiliation.

The Justice Department on Sept. 16 unsealed an indictment against five Chinese men and two Malaysian nationals for their alleged role in a years-long spying scheme that infected software including Asus, CCleaner and Netsarang with malware.
Some suspects working as part of the larger operation functioned as part of Chengdu 404, which marketed itself as a penetration testing company with a “patriotic spirit.”

But why would they do such a weird thing? Here's the answer to that question!

Intelligence analysts contend the Chinese government began outsourcing cyber-espionage work to nondescript companies after a 2014 agreement in which the U.S. and China agreed to not sponsor any malicious cyber activity for economic gain.
“The APT landscape in China is run in a ‘whole country’ approach, leveraging skills from universities, individual, and private and public sectors,” researcher Timo Steffens said. “So some of the smaller companies might just be a way for individual hackers to band together and be eligible for government contracts.”

The article also reminds us of Rana, an Iranian hacking group, and how it used similar tactics to recruit and organize their hackers.

[kyonides]

Huawei is Spying on Britain

https://www.bbc.com/news/technology-54455112

There is "clear evidence of collusion" between Huawei and the "Chinese Communist Party apparatus", a parliamentary inquiry has concluded.
And the MPs say the government may need to bring forward a deadline set for the Chinese firm's 5G kit to be removed from the UK's mobile networks.
The House of Commons defence committee based its findings on the testimony of academics, cyber-security experts and telecom industry insiders, among others. These included executives from Huawei itself, as well as some long-term critics of the company.
Its report cites a venture capitalist who claimed the Chinese government "had financed the growth of Huawei with some $75bn [£57bn] over the past three years", which he said had allowed it to sell its hardware at a "ridiculously low price point".
And it highlights a claim made by a researcher who specialises in corporate irregularities within China, who alleged that Huawei had "engaged in a variety of intelligence, security, and intellectual property activities" despite its repeated denials.

Emphasis is mine but I don't regret it.
People should know Chinese enterprises aren't private at all. Or can you still believe Huawei is? Even after knowing how many billion dollars it was granted by the CCP!?  

But the committee says ministers should consider bringing the latter deadline forward to 2025 if relations with China deteriorate or pressure from the US and other allies makes it necessary.

Something that will likely happen any time soon.

They also back proposals to form a D10 group of democracies to provide alternatives to Chinese technology.

Sounds logical.

[kyonides]

China is targeting US, Russia, India and Other Countries

https://www.cyberscoop.com/chinese-hacke...isa-alert/

Malicious software used in the campaign, which the departments of Defense and Homeland Security have dubbed “SlothfulMedia,” is linked with “high confidence” to the Chinese government, according to one U.S. government official. Another U.S. government source said the hackers are suspected of having ties to Beijing, while a third government official described the group as operating a concerted hacking campaign based in China.
A Pentagon spokesperson told CyberScoop the hacking effort is ongoing, and that it has targeted entities in Russia, Ukraine, India, Kazakhstan, Kyrgyzstan and Malaysia.

What's curious about this report is that they didn't directly make a statement blaming China on October 1st but still let you guess that was the case.

The Oct. 1 disclosure coincided with a period of celebration in China known as the Moon Festival.
The Pentagon also published a graphic, which includes a moon, as part of its public release on the espionage effort.

Can we ever believe in coincidences?

[kyonides]

Chinese Government trying to hack US Defense Contractors

https://www.cyberscoop.com/defense-contr...cking-nsa/

The hackers are specifically going after 25 known vulnerabilities that primarily affect products used for remote access or for external web services, which the NSA lays out in detail in the advisory. Vulnerabilities the Chinese hackers are exploiting include those of Pulse Secure VPNs, which could allow attackers to steal victim passwords, as well as F5 Networks’ Big-IP Traffic Management User Interface, Windows Domain Name System servers, a series of flaws in Citrix ADC and Gateway devices, and several others.
System administrators in the defense industrial base should immediately patch the vulnerabilities the Chinese hackers are exploiting, the NSA warned.

Some of their favorite targets are the National Security Systems, Defense Industrial Base, and Department of Defense networks.
Keep in mind Chinese hackers have already stolen data related to the F-35 jet fighter as another news media had found out some time ago.

FBI and CISA had linked those hackers with the Chinese Ministry of State Security last month.

[kyonides]

Symantec implicates Chinese APT10

in sweeping hacking campaign against Japanese firms

https://www.cyberscoop.com/apt10-china-j...-symantec/

A Chinese government-linked hacking group whose operatives have been indicted by the U.S. and sanctioned by the European Union is suspected in a year-long effort to steal sensitive data from numerous Japanese companies and their subsidiaries, security researchers said Tuesday.
The attackers, known as APT10 or Cicada, have been burrowing into the networks of companies in the automotive, pharmaceutical and engineering sectors, according to researchers from antivirus provider Symantec. They have sometimes lingered for months before trying to extract data and have targeted domain controllers, the servers that act as gatekeepers for organizations’ network traffic.
APT10, which U.S. officials have alleged operates on behalf of China’s civilian intelligence service, has for over a decade been a key prong in alleged Chinese espionage activity. The group has a well-documented history of targeting Japanese companies, including an alleged attempt to infiltrate Japanese media organizations in 2018.

They also mentioned the latest attacks indicate the resurgence of the APT10 / Cicada group. Back in 2018 US authorities had indicted several of their members but it seems that didn't stop them from hacking more companies around the world.