Chinese agencies and diplomatic missions have been targeted by hackers through their virtual private network (VPN) servers in a coordinated cyber espionage campaign, at a time when many governments and global organisations are more vulnerable than ever to security breaches due to remote working arrangements amid the pandemic, according to a report by a leading Chinese cybersecurity provider.
Both domestic Chinese agencies and diplomatic missions in countries including Italy, the UK, North Korea and Thailand have been attacked, according to a report by Qihoo 360. It speculated in the report that the East Asia-based DarkHotel hacking group attacked Chinese agencies for reasons linked to the pandemic.
The group is also suspected to be behind recent cyberattacks against the World Health Organisation (WHO), as officials and cybersecurity experts warn that hackers of all stripes are seeking to capitalise on international concern over the spread of the coronavirus, according to a Reuters report.
“Since March this year, more than 200 VPN servers have been compromised and many Chinese institutions abroad were under attack. In early April, the attack spread to government agencies in Beijing and Shanghai,” said the report by Qihoo 360, China’s largest antivirus vendor.
The WHO did not immediately respond to a request for comment.
“The Chinese government has been resolutely cracking down on any form of cyber attacks and will step up measures to protect its cyber security,” said Zhao Lijian, a spokesman for China's Ministry of Foreign Affairs. He also called for more international cooperation to protect cyber security.
The attacks come at a time when many governments and corporations are asking employees to work from home to prevent the spread of the novel coronavirus. Beijing has asked most offices to host no more than half of employees at one time, and suspended classes in schools.
“Especially in this global battle against the coronavirus pandemic, VPN plays an indispensable and important role in the remote telecommunication of enterprises and government agencies,” Qihoo 360 said in its post. “Once VPNs are controlled by threat actors, the internal assets of many enterprises and institutions will be exposed to the public network, and the loss will be immeasurable.”
DarkHotel, which Qihoo 360 said initiated the attacks, is a group of elite hackers which has been conducting cyber-espionage operations since at least 2007. Cybersecurity firms have traced many of DarkHotel’s operations to East Asia, with targets including government employees and business executives in places such as China, North Korea, Japan and the United States.
Qihoo 360 speculated in the report that the group could have attacked Chinese agencies to gain information related to the pandemic.
“After [the] Chinese government took strict measures to fight the virus, now the outbreak has been controlled in China. But the pandemic is still going on in a lot of countries,” Qihoo 360 wrote in the post. “[Are the attacks] intended to spy upon China's medical technology and virus-control measures during the epidemic?”
However, security experts said that aside from Qihoo 360's report, at the present time there is no other evidence that DarkHotel was behind the attacks or that the hackers' motivations were related to the pandemic.
“[So far] we don’t see any third party confirmation yet. Those should come within the next few days,” said Mark Webb-Johnson, co-founder and chief technology officer of security service provider Network Box. “For the moment, this is one company’s opinion. That said, I don't see any evidence to dispute its credibility.”
“This write-up is full of speculation, no evidence this was actually DarkHotel, and a ton of confirmation bias about targeting because of Covid,” tweeted Brian Bartholomew, a researcher from Kaspersky, which tracks DarkHotel, after the release of the Qihoo 360 report. “Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims.”
In the latest series of attacks against Chinese institutions, hackers hijacked the servers of domestic VPN vendor SangFor Technologies by replacing a file in the VPN programme’s security update with one that gave them a backdoor to users’ devices, according to Qihoo 360.
Users were prompted to update their VPN clients upon logging in, unknowingly downloading the file and giving hackers access to their devices.
In a post on Tuesday, Shenzhen-based SangFor posted solutions including security patches and free antivirus software.
“We truly apologise for security loopholes uncovered,” SangFor said in the post. “The company has launched an all-round review of existing products and will run stricter verification tests.”
SangFor did not immediately respond to a request for comment.