Posted on December 23, 2019 at 2:07 PM
APT20, the Chinese state-sponsored hacking syndicate, is at it again. The syndicate has been caught hacking managed service providers and government institutions, according to security researchers. It was initially thought that this hacking group had gone extinct. But last they resurfaced recently, and have already started causing havoc to institutions and entities.
Security researchers reported their activities on the bypassing of two-factor authentication to infiltrate their victim’s data warehouse. Fox-IT, a Dutch cyber-security outfit, reported that this hacking group is sponsored by the Chinese government to get hold of critical information from both private and government institutions.
However, it seems the syndicate’s main targets are Managed Service Providers (MSPs) and government institutions. These targeted institutions are strong players in different industries, including energy, insurance, finance, healthcare, and aviation. The group also targets other institutions in smaller niche industries like in the physical locks and gambling industry.
Recent Activities of APT20
Fox-IT has been tracking the activities of this hacking syndicate since 2011 when they were first discovered. But they went under the radar in 2017, and many thought they had stopped operations. However, it turned out they only changed how they operated, which made them difficult to track.
Fox-IT has provided reports on the group’s activities since they were purported to go under the radar. According to Fox-IT, the hacking group makes use of servers to infiltrate their victim’s system. The web server targets JBoss, which is an enterprise system usually found in government and large corporate networks.
The hackers’ target networks are vulnerable, install their web shields and multiply throughout the internal systems of their victims.
APT20 has a distinct way of operation different from other hacking groups, according to the researchers. They do not look for a password when they infiltrate a system. Instead, their focus is on administrator accounts to gain more access to a wide range of data and important files.
Their main targets were securing VPN credentials to easily scale through the most secure and most important areas of the administrator section. They occasionally use VPN access to create more secured backdoors.
How the hackers have been able to stay under the radar
The researchers said that although the hackers have managed to stay relatively active in the past two years, they still managed to stay undiscovered, not until recently. Fox-IT has explained the reasons while they have been able to stay hidden for a long time.
The hackers did not function with their own built hacking tools. Rather, they camouflaged with already existing hacking tools developed by other hackers. In this way, an attack would not be attributed to them but the original creators of the tool they used. If they had used their hacking tools, the local security software should have detected them, Fox-IT stated.
Connecting to 2FA-protected VPN accounts
In spite of all the hacking group has done, the most alarming one was connecting to 2FA protected VPN accounts. It’s still not clear how they were able to pull off such stunt, but the Fox-IT researchers are reasoning towards a theory.
According to the researchers, the hackers could have stolen an RSA secured software that was infiltrated by other hackers. From the software, the hackers were able to generate a valid one-time password to bypass the 2FA authentication block with ease.
On a normal condition, it is highly unlikely to get access through this medium, because it requires getting connected physically with physical hardware to the host computer. Both the software token and the connecting device have to connect physically. Otherwise, the latter would start generating errors. But the highly sophisticated hackers still found a way through by using the RSA SecurID token and patch an override instruction with the connecting device.
Fox-IT is still investigating the activities of the group. The researchers said they took an interest in the investigation after they were asked by one of the hacked institutions. FoX-IT said it would continue in its desire to investigate and find out about all the activities of the Chinese hacking syndicate.