Chinese Cyber Espionage Continues Despite COVID-19FireEye Finds APT41 Conducting a Global Campaign
Despite the global COVID-19 pandemic, which started in China, Chinese cyber espionage campaigns are continuing, with a new campaign from one advanced persistent threat group targeting at least 75 enterprises in 20 countries, according to the security firm FireEye.
The new campaign, which started in January and continued through at least mid-March, is the work of the group known as APT41, which is taking advantage of vulnerabilities in software and devices manufactured by Cisco, Citrix and Zoho, FireEye says in a new report.
Although the report does not describe the goal of this cyber espionage campaign, earlier investigations determined that APT41 had focused on stealing intellectual property and corporate data. In the current campaign, the APT group attempted to plant backdoors in organizations' networks to enable the potential installation of more sophisticated malware later, the report notes.
The campaign has targeted organizations in the U.S., U.K., Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland and United Arab Emirates, according to the report.
Sectors targeted include banking and finance; construction; defense; government; healthcare; technology; education; legal; manufacturing; media; nonprofits; oil and gas; petrochemicals; pharmaceuticals; real estate; telecommunications; transportation; travel; and utilities.
Nature of Campaign
"It's unclear if APT41 scanned the internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature," according to the report.
The group’s activities continued through at least March 21, except for brief periods in January and February, which coincided with Chinese Lunar New Year holidays and the height of quarantine due to the spread of COVID-19 in China, according to FireEye.
Since 2014, APT41 has been targeting global businesses and organizations for intelligence gathering and theft of intellectual property, according to a previous FireEye report. Although the APT group's ties to the Chinese government remain unclear, its past activities appeared to have coincided with the country's "Made in China 2025" mission - a plan to develop its high-tech and advanced manufacturing sectors, FireEye notes.
The 2020 cyber espionage activities of APT41 have been carried out in three waves, according to FireEye.
On Jan. 20, during the first wave of attack, the group exploited a vulnerability designated as CVE-2019-19781 in Citrix Application Delivery Controller, a cloud-based product, and Citrix Gateway devices, the researchers say.
By exploiting this vulnerability, attackers were able to perform remote code execution. A December 2019 report from security firm Positive Technologies, which first reported this flaw, noted that approximately 80,000 companies in 158 countries were at risk of attack due to unpatched software and devices (see: Citrix Vulnerability Could Affect 80,000 Companies: Report).
Although Citrix released a patch for the vulnerability in December, FireEye researchers note that APT41 began exploiting the flaw in January, scanning devices to see if the patch had been installed. If the group received information that devices and software were unpatched, the hackers began the process of installing a backdoor, according to the report.
Then, around Feb. 1, in the final segment of the first phase, APT41 hackers changed their tactics, exploiting the vulnerability to download a payload in a vulnerable system through a file transfer protocol feature, the researchers say.
In the second phase, which started around Feb. 21, APT41 began targeting Cisco routers used by smaller telecommunications organizations. The group took advantage of a vulnerability that enabled attackers to retrieve sensitive information from the router's web interface as well as another flaw that allowed attackers to gain administrative privileges and execute arbitrary commands in these devices.
In phase three, starting around March 5, APT41 exploited a zero-day flaw in the Zoho ManageEngine Desktop Central - an IT management tool for laptops and other devices - that allowed for remote code execution to install a payload, the report notes.
Although Cisco, Citrix and Zoho had released patches for vulnerabilities in their products, the APT41 hackers in all three phase of their campaign targeted organizations that had not applied these fixes, the researchers say. The APT 41 attackers used publicly available malware, such as Cobalt Strike and Meterpreter, in all three phases, the researchers say.
Previous APT41 Campaigns
Over the last six years, APT41 has been involved in a number of complex campaigns with targets in China and elsewhere. In August 2019, for instance, the group launched a campaign targeting the global video gaming industry to steal virtual currency, according to an earlier FireEye report (see: Members of Chinese Espionage Group Develop a 'Side Business')
The same FireEye report also showed that APT41 spied on individuals, including Chinese officials, as they traveled around the world.