silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,176
Foreign state-sponsored hackers have launched a massive hacking operation aimed at Chinese government agencies and their employees.
Attacks began last month, in March, and are believed to be related to the current coronavirus (COVID-19) outbreak.
Chinese security-firm Qihoo 360, which detected the intrusions, said the hackers used a zero-day vulnerability in Sangfor SSL VPN servers, used to provide remote access to enterprise and government networks.
Qihoo said it discovered more than 200 VPN servers that have been hacked in this campaign. The security firm said that 174 of these servers were located on the networks of government agencies in Beijing and Shanghai, and the networks of Chinese diplomatic missions operating abroad, in countries such as:
Italy, United Kingdom, Pakistan, Kyrgyzstan, Indonesia, Thailand, UAE, Armenia, North Korea, Israel, Vietnam, Turkey, Malaysia, Iran, Ethiopia, Tajikistan, Afghanistan, Saudi Arabia, India.
In a report published today, Qihoo researchers said the entire attack chain was sophisticated and very clever. Hackers used the zero-day to gain control over Sangfor VPN servers, where they replaced a file named SangforUD.exe with a boobytrapped version.
This file is an update for the Sangfor VPN desktop app, which employees install on their computers to connect to Sangfor VPN servers (and inherently to their work networks).
Qihoo researchers said that when workers connected to hacked Sangfor VPN servers, they were provided with an automatic update for their desktop client, but received the boobytrapped SangforUD.exe file, which later installed a backdoor trojan on their devices.
The Chinese security firm said it tracked the attacks to a hacker group known as DarkHotel. The group is believed to operate out of the Korean peninsula, although it is yet unknown if they are based in North or South Korea.