Chinese hackers are behind numerous hacks of international companies

The other day, information security specialists from ProtectWise have stated that Chinese cyber intelligence is behind many hacks of various companies over the past ten years. The companies, which the Chinese are involved in, are located in Europe, the USA, Russia and many other countries. The actions of China's hackers would have gone unnoticed if it were not for the recent large-scale attack aimed at compromising corporate accounts in Office 365 and Gmail.

This attack was committed with a number of errors. Burglars left behind a lot of traces, which made it possible to identify their actions in the past. As it turned out, many successful attacks on corporate networks, which were considered the work of such communities as LEAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom and Winnti, are in fact the work of the Chinese. A detailed report can be found at this link, the document was published at the end of last week.

The organization behind all this is called Winnti Umbrella. Experts from ProtectWise, using data on hacked networks, hacker tactics, the techniques and methods they use, and the information obtained through the erroneous actions of the attackers were able to locate the majority of the community members.
')
In addition, it was possible to find out how long the Chinese have been working. The earliest attacks are dated 2007. In 2013, Kaspersky Lab antivirus company announced that the backdoor of the time Winnti was configured on a PC with Chinese and Korean. Then this backdoor hit a network of more than 30 game development companies. Hackers used unauthorized access to obtain digital certificates, which later served as a tool to penetrate the network of victims of intruders.

In the same 2013, Symantec announced the Hidden Linx hacker group, which was behind the attack on networks of more than 100 organizations, including the successful hacking of Bit9 networks with theft of a cryptographic key. In turn, the key was used to infect at least three customers of this company.

There were other interesting stories related to Winnti Umbrella. For example, in 2010, the same group, apparently, carried out a successful attack on Google and 34 other companies.

According to cybersecurity experts, the investigation and the report based on his motives will serve as a source of information for a number of individuals and companies on the work of Chinese cyber intelligence. In general, the Chinese strategy was to break into the providers of cryptographic keys or digital certificates in order to use compromised tools to break into “larger fish”.

Phishing was often used. At an early stage of their work, the group installed custom backdoors, designed individually, on the victim company devices. A little later, the attackers began to work with a wider range of tools, including exploits, phishing resources, backdoors, etc.

The main purpose of intelligence is not gambling companies or even telecommunications giants, but politicians from different countries, journalists from Tibet and China, representatives of the Thai government and many other organizations and individuals.

In August of last year, Kaspersky Lab discovered an unknown backdoor introduced by an unknown NetSarang company in South Korea’s network tool, which allowed attackers to penetrate NetSarang’s customer networks. This backdoor was similar to Winnti, it was called PlugX.

NetSarang software has been used by hundreds of banks, energy companies, pharmaceutical concerns and other organizations.

As for the recent attack, ProtectWise stated that from March 20 to March 28, cybercriminals from China used the goo.gl service, making it possible to track who clicks on the links left by the attackers. 29 clicks were made in Japan, 15 - United States, 2 - in India, 1 - in Russia. Chrome users clicked on links 33 times, Safari users went 23 times on a malicious url. 30 clicks were made in the Windows OS environment, 26 by macOS users.

Usually, attackers hid their real IP addresses, but forgot to do this several times, as a result of which information specialists managed to get on real IPs from the 221.216.0.0/13 range. As it turned out, this address packet corresponds to the China Unicom Beijing Network in Xicheng Province. According to those who conducted a study of the group’s activities, all of this is a sign that burglars belong to Chinese cyber intelligence.