A Chinese government-linked hacking group that was thought to be dormant has been quietly targeting companies and government agencies for the past two years, harvesting data after stealing passwords and circumventing two-factor authentication intended to prevent such attacks, researchers said.
Fox-IT, a security company based in the Netherlands, said in a report published yesterday that the group’s attacks have extended to 10 countries, including the US, the UK, France, Germany and Italy.
The Chinese hackers carried out a global espionage campaign that targeted industries, including aviation, construction, finance, healthcare, insurance, gambling and energy, the firm said.
The hackers likely belong to a group known as APT20, according to the researchers, who said they had “high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government.”
Between 2009 and 2014, APT20 — which is also known as Violin Panda and th3bug — was associated with hacking campaigns that targeted universities, military, telecoms and healthcare companies.
The group went quiet for a number of years, but has recently made a resurgence, Fox-IT said.
“A lot of people thought that this group disappeared, or no longer existed,” Fox-IT chief security expert Frank Groenewegen said. “But what we found is that this group has been operating internationally again and hacking lots of companies.”
A representative for the Chinese government did not return a message seeking comment.
Fox-IT discovered the group’s hacking spree in the summer of last year, while carrying out an analysis of computer systems that had been compromised, Groenewegen said.
From the initial discovery, Fox-IT researchers were able to follow a digital trail that helped them uncover dozens of similar attacks that appear to have been perpetuated by the same group.
Attacks were also carried out in Brazil, Mexico, Portugal and Spain, Fox-IT said.
There was also at least one target within China, a semiconductor company, said Groenewegen, who declined to name the companies and organizations that were attacked.
Fox-IT is working with some of them to clean up their systems and has notified the others, he said.
The hackers would usually gain entry to an organization’s systems by exploiting a vulnerability on Web servers that the company or government agency operated. They would then penetrate further to identify people — usually system administrators — with privileged access to the most sensitive parts of the computer network, Fox-IT’s report said.
The hackers would place keylogger software on system administrators’ computers, which record keystrokes and can reveal passwords, it said.
The group was also able in at least one case to compromise a RSA SecurID two-factor authentication system, replicating its codes, which are designed to thwart hackers by providing an extra layer of security in addition to a password, it said.
RSA Security did not respond to a message seeking comment.
The hackers were effective at covering up their tracks, Fox-IT said. They would routinely delete the tools they used to steal data from infected computers.
However, occasionally they slipped up: Fox-IT placed monitoring technology within one victim’s network and was able to gather data showing that the hackers were using a Web browser that had its language set to Chinese.
With the help of a law enforcement agency, Fox-IT traced the hackers’ activities to a Web server the group had purchased as a staging point for their attacks. The hackers had paid in bitcoin and given fake details, a British phone number and US address in Lafayette, Louisiana, but they had typed part of the address in simplified Chinese.
There was also the issue of time. Fox-IT security experts were kept up all night by the hackers, who became active at about 3am in the Netherlands and continued for eight to 10 hours. That suggests they were operating in China’s time zone, which is seven hours ahead of the Netherlands.
Perhaps the most striking indicator came after the hackers found out they had been caught. Fox-IT moved to shut them out of a compromised network, and watched as the group typed in a series of commands to try and regain access to the computers.
When it became clear that they had been locked out, one of the hackers, apparently frustrated, bashed out the word “wocao” (我操) on his keyboard.
That is Chinese slang for an obscenity, Fox-IT said.
PROTECTIONISM: China hopes to help domestic chipmakers gain more market share while preparing local tech companies for the possibility of more US sanctions Beijing is stepping up pressure on Chinese companies to buy locally produced artificial intelligence (AI) chips instead of Nvidia Corp products, part of the nation’s effort to expand its semiconductor industry and counter US sanctions. Chinese regulators have been discouraging companies from purchasing Nvidia’s H20 chips, which are used to develop and run AI models, sources familiar with the matter said. The policy has taken the form of guidance rather than an outright ban, as Beijing wants to avoid handicapping its own AI start-ups and escalating tensions with the US, said the sources, who asked not to be identified because the
Taipei is today suspending its US$2.5 trillion stock market as Super Typhoon Krathon approaches Taiwan with strong winds and heavy rain. The nation is not conducting securities, currency or fixed-income trading, statements from its stock and currency exchanges said. Yesterday, schools and offices were closed in several cities and counties in southern and eastern Taiwan, including in the key industrial port city of Kaohsiung. Taiwan, which started canceling flights, ship sailings and some train services earlier this week, has wind and rain advisories in place for much of the island. It regularly experiences typhoons, and in July shut offices and schools as
FALLING BEHIND: Samsung shares have declined more than 20 percent this year, as the world’s largest chipmaker struggles in key markets and plays catch-up to rival SK Hynix Samsung Electronics Co is laying off workers in Southeast Asia, Australia and New Zealand as part of a plan to reduce its global headcount by thousands of jobs, sources familiar with the situation said. The layoffs could affect about 10 percent of its workforces in those markets, although the numbers for each subsidiary might vary, said one of the sources, who asked not to be named because the matter is private. Job cuts are planned for other overseas subsidiaries and could reach 10 percent in certain markets, the source said. The South Korean company has about 147,000 in staff overseas, more than half
Her white-gloved, waistcoated uniform impeccable, 22-year-old Hazuki Okuno boards a bullet train replica to rehearse the strict protocols behind the smooth operation of a Japanese institution turning 60 Tuesday. High-speed Shinkansen trains began running between Tokyo and Osaka on Oct. 1, 1964, heralding a new era for rail travel as Japan grew into an economic superpower after World War II. The service remains integral to the nation’s economy and way of life — so keeping it dazzlingly clean, punctual and accident-free is a serious job. At a 10-story, state-of-the-art staff training center, Okuno shouted from the window and signaled to imaginary colleagues, keeping