Do not become a victim of a malign Chinese ‘mission’
Western companies are now being targeted by APT41 as it tries to help China move its economy toward higher value products and services, including IT, Robotics, energy efficiency, electric vehicles, aerospace equipment,
Chinese cyber-espionage group APT41 has been attacking organisations worldwide by exploiting vulnerabilities in popular business applications and devices from companies such as Cisco, Citrix and Zoho, recently seriously warned FireEye researchers.
The Covid-19 lockdown in China seems to, sadly, have had little effect on the operations of the threat group, but its target organisations are now of course at a greater risk because of its IT staff working remotely. The recent rush to remotely working employees has unfortunately left business applications without the added protection offered by office firewalls.
“Between 20 January and 11 March, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers,” said the FireEye report. FireEye lists the attack as the broadest campaign by a Chinese cyber-espionage actor recorded recently.
“Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA,” explained the report.
The industries targeted are banking & finance, construction, government, healthcare, high technology, higher education, legal, manufacturing, media, non-profit, oil & gas, petrochemical, pharmaceutical, real estate, telecommunications, transportation, travel, and utility.
“It’s not clear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organisations to target, but the victims appear to be more targeted in nature,” the report went on to say.
APT41, also known as MISSION2025, is believed to be a Chinese state-sponsored threat actor, perhaps working for or on behalf of the Chinese government, warned Masahiro Yamada, associate vice president threat research at CYFIRMA.
“The threat actor is believed to be active since at least 2012. MISSION2025’s objective is consistent with China’s national strategies highlighted as ‘Made in China 2025’, a plan announced in 2015 that aims to shift China’s economy toward higher value products and services, including IT, Robotics, energy efficiency, electric vehicles, aerospace equipment, ocean engineering, high tech ships, railway equipment, power equipment, new materials, medicine and medical devices, and agriculture machinery,” Yamada went on to say..
CYFIRMA believes that MISSION 2025 has been operating a long-running campaign named VISION 2025 and there are some sub-campaigns under VISION 2025. Each have different targeting strategy & purpose.
“Most industries, globally, have been targeted by the VISION 2025 campaign. Our research shows that the activities reported by FireEye are a part of VISION 2025,” outlined Yamada.
CYFIRMA research further explains that the motivation of the sub campaigns under the VISION 2025 does include each of the following:
– steal intellectual properties, solution/technology details, PII, and customer information to help Chinese industries and/or monetise stolen data.
– cause reputational damages against a specific industry, company, country, etc.
– expand their infrastructure to be used for their campaigns and operations.
“From our analysis of their recent campaigns, CYFIRMA suspects MISSION 2025 has expanded their campaign targets to not only servers but also internet-facing devices including network devices and IoT devices,” said Yamada.
“In the past, they were putting more focus on cyber-espionage instead of exploiting and compromising internet-facing systems. They often targeted code-signing certificates. Once they get the certificates, they can sign their malware using the stolen valid certificates. They often target VPN credentials once they gain access to the target organisations’ networks.”
Also, they have been known to use backdoor that has been named Winnti (aka Highnoon). CYFIRMA suspects Winnti has been shared with some other Chinese nation-sponsored hacking groups, further outlined Yamada.
CYFIRMA has evidence suggesting MISSION2025 uses customised Mirai bot to target Linux systems including Network devices and IoT devices. The attack consists of bruteforce against telnet and SSH and also vulnerabilities exploits against DSL modems and GPON routers, D-Link and NETGEAR, Huawei routers, and Realtek SDK.
“Another Chinese state-sponsored hacking group named Stone Panda has been operating a long-running campaign named “RedWall”. One of the main purposes of RedWall is listing vulnerable assets of their potential target organisations and affiliates. We suspect the vulnerable asset list is not only used by Stone Panda but also by other Chinese state-sponsored hacking groups,” Yamada explained.
Whilst it is beyond belief that such activities are still continuing during the current world-wide China originating crisis, sadly ample evidence exists that at least some elements of the Chinese security apparatus are showing utter ruthless disregard for the suffering of the world. If such decisions are ultimately the responsibility of the top Chinese leadership, then surely, we must begin re-examining our relationship with this emerging superpower?