The world of cyber espionage is not slowing down at all during the COVID-19 pandemic. China-backed APT41 has been on a tear since near the beginning of the year, targeting over 75 organizations throughout the world even as the country grappled with containing the initial pandemic outbreak. The team of Chinese hackers is among the most skilled and prolific in the world, and this recent campaign has focused on specific vulnerabilities in various routers and cloud services.
China’s early 2020 cyber espionage binge
Researchers with leading cybersecurity firm FireEye have been tracking the campaign, and characterize it as “one of the most widespread” they have seen in recent years.
The FireEye report observed APT41 between January 20 and March 11, as the group targeted a wide range of industries all over the world. Rather than particular targets, the Chinese hackers appeared to be focusing on particular vulnerabilities. They exploited previously unknown or recently published weaknesses in Cisco RV320 routers, Citrix’s Application Delivery Controller (ADC), and Zoho’s ManageEngine Desktop Central. Most of these vulnerabilities had just been published in the weeks prior to the beginning of the campaign, and the Zoho exploit was only three days old when the group began using it.
The campaign appears to have been a sprint to use these vulnerabilities to their advantage before they were widely patched out, and it swept up organizations in at least 20 countries around the world. The Chinese hackers appeared to be attacking whatever targets were available, covering nearly every sector of the economy from petrochemicals to education.
The attacks on the Cisco routers appeared to be a form of custom malware that FireEye researchers indicated had not been seen before.
Though the campaign was aggressive and wide-ranging, the FireEye researchers remain somewhat puzzled as to its overall intent. They indicate that there is no clear evidence that any data was exfiltrated from any of the targets. The researchers speculated that the Chinese hackers may have been seeking intelligence related to the COVID-19 pandemic or the ongoing trade war with the US, but there is no way to know for sure.
Wide-ranging, highly skilled Chinese hackers
Though the motivations for this current cyber espionage campaign are unclear, the methodology is consistent with APT41’s established cyber espionage patterns. The group has been active since at least 2012, and has attacked a wide range of industries throughout its history. APT41 is thought to have started as a private team of two Chinese hackers that specialized in hacking online games for clients via the dark web, expanding in headcount and scope after being recruited by the government. The group is known for its agility and for making use of vulnerabilities very quickly after they are published or leaked.
There was a strong focus on exploiting vulnerabilities in Citrix Netscaler, with entire days of activity devoted to this purpose. The researchers noted that the Chinese hackers had a particular focus on Citrix controllers on January 20 and 21, February 1 and February 24 and 25. The attackers first probed the controllers to see if the vulnerability had been patched, and then attempted to install a backdoor for future use.
The Chinese hackers also leapt into action in exploiting the then-new Zoho vulnerability on March 8. A patch had been issued on March 7, but given that it had just been disclosed on March 5 there were likely many unpatched targets still available. Here the attackers also appeared to focus on depositing payloads on target systems rather than exfiltrating data. This is consistent with past actions by the group, which have focused on quietly establishing backdoors to be used for cyber espionage purposes over an extended period.
Though the group has had periods of focus on specific missions, such as tracking political dissidents via SMS messages in late 2019, it has been known to range far and wide and follow current opportunities in terms of target selection and activity. In general, the group tends to engage in cyber espionage activities that align with China’s current five-year economic plan.
The attribution to APT41 is strengthened by specific notable periods of inactivity during this time; the attackers reduced or ceased their cyber espionage activity entirely from January 23 to February 1, the Lunar New Year celebration period, and during the initiation of strict quarantine measures in China from February 2 to February 19.
The importance of keeping everything patched
This expansive cyber espionage campaign illustrates the importance of keeping all hardware and software current with patches, even though it may be a challenge in a time of restricted movement and manpower. Some of the world’s best hackers are hustling to exploit new vulnerabilities within days of discovery, and the Chinese hackers have demonstrated that they are happy to simply install backdoors for possible later use while an unpatched vulnerability exists. No target would appear to be too small for some group or another to take interest.