Posted on December 20, 2019 at 7:35 AM
A Chinese-backed hacking group has resurfaced after going off the radar for a long time. Researchers have revealed that this hacking group, who belongs to APT20, targets the United States and other countries. According to researchers, these hackers harvest data after gaining access to passwords and decrypting two-factor authentication to pass through the host’s firewall.
According to Fox-IT, a Netherlands-based security outfit, the hacking group has taken their trade to 10 different countries, including Italy, Germany, France, the UK, and the US. These hackers are using sophisticated technology to gain access to the authentication codes of their victims.
They are carrying out a global spying campaign targeting companies from different industries, including energy, insurance, health care, gambling, finance, construction, and aviation. The researcher said they are almost certain the hackers are operating with the backing of the Chinese government.
According to researchers at Fox-IT, From 2009 to 2014, the APT20 hacking group was fingered in hacking activities. The group targeted telecommunications companies, health care, military, and universities. The researchers said they were working and actively spying on several other companies at that time. Now that they are back, the digital community is bracing up to wade them off.
After their exploits those years, they suddenly went under the radar. The chief security expert at Fox-IT, Frank Groenewegen, said so many people thought this hacking group no longer existed or they just disappeared. But the group has resurfaced again and is operating on an international level, spying on very important databases from different institutions.
When the Chinese government was contacted based on the issue, a representative of the government did not return the message.
The hacking group resurfaced last year
Fox-IT was undergoing an analysis of compromised computer systems when the researchers stumbled upon the group’s hacking spree. After analyzing the attack, the researchers did some trail searching that led them to see a host of similar attacks that have been carried out. These attacks have the same pattern, which is why the researchers were able to trace other compromised facilities. According to the researchers, there were recent attacks in Spain, Portugal, Mexico, and Brazil.
Groenewegen did not mention the companies that were attacked, but he stated that there was even another attack in China, the hackers originating country. Currently, Fox-IT has notified the companies involved and is helping them to get rid of the malware.
How the Group gained access
Just like other types of hacking methods, this one relies on the vulnerability of networks. If the hackers see this vulnerability from government workers or company employees, they will try to probe further. This time, they would be targeting system administrators, where the most sensitive piece of information is kept, according to Groenewegen.
According to Groenewegen, hackers usually use the keylogger software which records keystrokes and some passwords when the administrator is using the system. The group succeeded in compromising the two-factor authentication security of RSA SecurID. The software replicated the codes that were meant to block asses from hackers. This group was able to scale through the double authentication with hacking technology.
No response yet from RSA security
After hacking and connecting to the compromised servers, the hackers usually cover their tracks to make it difficult to trace, says Fox-IT. They usually erase the hacking tools to remain untraceable. But they didn’t cover their tracks all the time effectively. The occasional slipups allowed Fox-IT to discover their hacking activities.
How Fox-IT found out
The research team installed a monitoring system on the network of one of the victims. That’s where it collected data from the hacking software. But the hacked data was reinterpreted in the Chinese language.
Law enforcement agency assisted Fox-IT in tracing the activities of the hackers. It turns out that the hackers were using a web browser they had bought to stage their series of attacks.
To remain anonymous, they opted to pay for the hacking website in bitcoin and presented fake details and information. However, part of the address was typed in simplified Chinese. The hackers’ time zone also shows the group was operating from China. According to Fox-IT, these were overwhelming evidence that these hackers are based in China.