According to a top security firm, in early 2020 state-backed Chinese hackers conducted one of the largest espionage campaigns in recent years, targeting telecommunications, healthcare, government, defense, finance, petrochemical, manufacturing, and transportation organizations in the United states and around the world.
Referring to the hackers as APT41, Christopher Glyer, Dan Perez,Sarah Jones, and Steve Miller of FireEye stated, “This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.” They noted, “Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers.”
Cyberscoop explained, “APT41 zeroed in on victims by going after vulnerabilities in Citrix’s Application Delivery Controller (ADC), Cisco’s routers, and Zoho’s ManageEngine Desktop Central, according to FireEye. The Citrix vulnerability was publicly revealed a month prior to APT41’s campaign, and a researcher only revealed code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central three days before the group took advantage, suggesting the group is interested in promptly taking advantages of reported flaws.”
The Trump administration is well-aware of China’s maleficent cyber-activities; in December, Deputy Attorney General Rod Rosenstein warned, “China stands accused of engaging in criminal activity that victimizes individuals and companies in the United States, violates our laws, and departs from international norms of responsible state behavior.” The Department of Homeland Security and the State Department warned Beijing to “abide by its commitment to act responsibly in cyberspace,” adding that the U.S. would “take appropriate measures to defend our interests,” as Politico reported.
Glyer told CyberScoop that he and his fellow researchers think APT41 designed malware in-house to ensure its success, adding, “It is likely that APT41 had to develop custom malware to target Cisco routers because public samples are not available.”
Cyberscoop noted, “… the group has been known to conduct state-sponsored cyber-espionage. It has also run cyber-operations aimed at personal or financial gain. APT41 has also targeted the gaming sector, hacked organizations focused on cancer research, and successfully exploited an Atlassian Confluence vulnerability against a U.S. based university, according to FireEye.”
Glyer stated, “Based on our current visibility it is hard to ascribe a motive or intent to the activity by APT41. There are multiple possible explanations for the increase in activity including the trade war between the United States and China as well as the COVID-19 pandemic driving China to want intelligence on a variety of subjects including trade, travel, communications, manufacturing, research and international relations.”
One clue that the hackers came from China was the fact that they paused during both Lunar New Year and while areas of china were quarantined from the coronavirus.
FireEye concluded, “In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.”