Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Hackers Target Chinese Government Agencies Via VPNs: Report

Zero-Day Vulnerabilities in VPN Servers Exploited, Quihoo 360 Reports
Hackers Target Chinese Government Agencies Via VPNs: Report

Hackers are targeting Chinese government agencies and their employees by taking advantage of zero-day vulnerabilities in VPN servers to plant backdoors and other malware, researchers at the Chinese security firm Qihoo 360 report.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

This ongoing campaign appears to have started in March, the researchers say. The hackers are probing for security weaknesses as government workers in China work remotely and rely on VPNs during the COVID-19 pandemic, they say.

The hackers are exploiting a zero-day vulnerability in Sangfor SSL VPN servers, according to the researchers’ report. The attackers then attempt to plant a backdoor on devices belonging to government workers, the report notes.

The researchers have found that, so far, the hackers have targeted about 200 Sangfor SSL VPN servers. Some of the vulnerable servers are located in Chinese government agencies within the country, but the campaign has also targeted China's diplomatic missions abroad, the report says.

The Qihoo 360 researchers speculate that the hackers may be trying to gain insight into China's response to the COVID-19 pandemic.

"Is it also possible that, by attacking Chinese overseas agencies, the group's real purpose is to grasp the supply transport routes, quantity and equipment of the quarantine materials that China sends to other countries around the world" the report notes.

Targeting VPNs

The Qihoo 360 report does not describe the zero-day exploit that the hackers are using. But it notes that this flaw allows the attackers to replace a specific file within the Sangfor SSL VPN servers - called SangforUD.exe - with a similar file that they control.

The legitimate file is used as part of the update process for devices using the Sangfor SSL VPN. As part of this hacking campaign, however, when employees attempt to log into a VPN controlled by the hackers, it prompts them for an update. During the process, the false SangforUD.exe file is installed, which then downloads a backdoor onto the infected device, according to the report.

"The attacker imitated the signature of legitimate program to disguise the backdoor and it is hard for a common user to distinguish," the report notes.

The backdoor then communicates with a command-and-control server and begins uploading information about the devices, including the hardware and software it uses, the researchers say.

APT Group Involved?

The Qihoo 360 researchers note that they believe these attacks are the work of an advanced persistent threat group called DarkHotel, which has been active since at least 2007 (see: Microsoft Warns of Zero-Day Internet Explorer Exploits). DarkHotel has been tied to cyberespionage campaigns that have targeted corporate executives, government agencies, defense industry suppliers, technology firms and others in East Asian countries, according to security researchers.

In March, the World Health Organization was allegedly targeted by the DarkHotel group, although that hacking attempt was believed to be unsuccessful, Reuters reports (see: Hackers Targeted World Health Organization).

On Twitter, Brian Bartholomew, a researcher with the security firm Kaspersky, contends that the Qihoo 360 report lacks enough evidence to tie these attacks in China to any one group.


About the Author

Apurva Venkat

Apurva Venkat

Special Correspondent

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.