APT20, the Chinese state-sponsored hacking syndicate, is at
it again. The syndicate has been caught hacking managed service providers and
government institutions, according to security researchers. It was initially
thought that this hacking group had gone extinct. But last they resurfaced
recently, and have already started causing havoc to institutions and entities.
Security researchers reported their activities on the bypassing of two-factor authentication to infiltrate their victim’s data warehouse. Fox-IT, a Dutch cyber-security outfit, reported that this hacking group is sponsored by the Chinese government to get hold of critical information from both private and government institutions.
However, it seems the syndicate’s main targets are Managed Service Providers (MSPs) and government institutions. These targeted institutions are strong players in different industries, including energy, insurance, finance, healthcare, and aviation. The group also targets other institutions in smaller niche industries like in the physical locks and gambling industry.
Fox-IT has been
tracking the activities of this hacking syndicate since 2011 when they were first
discovered. But they went under the radar in 2017, and many thought they had
stopped operations. However, it turned out they only changed how they operated,
which made them difficult to track.
Fox-IT has provided reports on the group’s activities since they were purported to go under the radar. According to Fox-IT, the hacking group makes use of servers to infiltrate their victim’s system. The web server targets JBoss, which is an enterprise system usually found in government and large corporate networks.
The hackers’ target networks are vulnerable, install their web shields and multiply throughout the internal systems of their victims.
APT20 has a distinct way of operation different from other
hacking groups, according to the researchers. They do not look for a password
when they infiltrate a system. Instead, their focus is on administrator
accounts to gain more access to a wide range of data and important files.
Their main targets were securing VPN credentials to easily scale through the most secure and most important areas of the administrator section. They occasionally use VPN access to create more secured backdoors.
The researchers said that although the hackers have managed
to stay relatively active in the past two years, they still managed to stay
undiscovered, not until recently. Fox-IT has explained the reasons while they
have been able to stay hidden for a long time.
The hackers did not function with their own built hacking tools. Rather, they camouflaged with already existing hacking tools developed by other hackers. In this way, an attack would not be attributed to them but the original creators of the tool they used. If they had used their hacking tools, the local security software should have detected them, Fox-IT stated.
In spite of all the hacking group has done, the most
alarming one was connecting to 2FA protected VPN accounts. It’s still not clear
how they were able to pull off such stunt, but the Fox-IT researchers are
reasoning towards a theory.
According to the researchers, the hackers could have stolen
an RSA secured software that was infiltrated by other hackers.
From the software, the hackers were able to generate a valid one-time password
to bypass the 2FA authentication block with ease.
On a normal condition, it is highly unlikely to get access
through this medium, because it requires getting connected physically with
physical hardware to the host computer. Both the software token and the
connecting device have to connect physically. Otherwise, the latter would start
generating errors. But the highly sophisticated hackers still found a way
through by using the RSA SecurID token and patch an override instruction with
the connecting device.
Fox-IT is still investigating the activities of the group.
The researchers said they took an interest in the investigation after they were
asked by one of the hacked institutions. FoX-IT said it would continue in its
desire to investigate and find out about all the activities of the Chinese
hacking syndicate.
buy cc bins unicc checker
