U.S. cybersecurity firm Mandiant, a subsidiary of Google, said that Chinese hackers, backed by their government, used a vulnerability in a well-known e-mail security device to access the networks of numerous public and private organizations in several countries worldwide, the Associated Press (AP) reported on June 15.
“The Chinese state does maintain agreements with those [hacking] groups,” Victor Ruiz, founder of the SILIKN cybersecurity center in Mexico, told Diálogo on June 25. “Those groups have their origins in military cells focused on the cyber environment.”
Mandiant reported that the group, which hacked Barracuda Networks’ Email Security Gateway, “is an espionage actor […] in support of the People’s Republic of China” that has been exploiting a vulnerability since October 10, 2022.
“This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021,” Charles Carmakal, Mandiant’s chief technical officer, told AP. A third of these entities correspond to government agencies, including foreign ministries.
Modus operandi
Chinese hackers sent emails to targeted organizations, attaching malicious files to gain access to the organizations’ data and devices, the Mandiant statement indicated. The emails examined had generic content in both the subject line and the body of the message, as well as grammatical errors.
Recognized targets included Asian and European government officials in Southeast Asia, the Middle East, and Africa. But most of the entities targeted were from the Americas, such as government ministries, trade offices, and academic research institutes, Mandiant said.
Volt Typhoon
In May, Microsoft reported that the Beijing-sponsored Volt Typhoon cyber gang has been seeking to disrupt critical infrastructure in the United States. The hacking group is operated by elite hacking units within China’s military, U.S. magazine The Diplomat reported on June 1.
Starting in 2021, Volt Typhoon has been targeting critical infrastructure systems on the island of Guam and in a U.S. military asset near Taiwan. In the United States, targets have included the communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors, Microsoft said.
Microsoft also noted that the attack on internet routers and other devices was a means to develop cyber capabilities to disrupt critical communications systems between the U.S. and some regions of Asia during future crises.
Chinese cyberattacks are the non-kinetic equivalent of a weapons test, an initial probe to see how its targets respond, to calibrate future action plans, The Diplomat reported. China, the magazine continued, is trying to replicate Russia’s playbook against the West.
Backdoor
Western intelligence agencies and cybersecurity groups identified other China-state sponsored cyber gangs that have all kinds of targets, Reuters reported.
One example is the Chinese hacking group BackdoorDiplomacy, which attacked several ministries and institutions of the Kenyan government to obtain information on the African nation’s debt to Beijing, Reuters reported. Kenya is a strategic link in the Belt and Road initiative.
“China always seeks to protect its own interests and knows that this is the way to seek information, to steal information, and to extort countries,” Ruiz said. “It is something it would not stop doing with Latin American countries. If it already does it with others, it could attack us.”
BackdoorDiplomacy is part of the Advanced Persistent Threat (APT) cyber group 15, better known as APT15, active since 2010, which has historically targeted government and diplomatic entities in the Americas, Africa, and the Middle East, said security firm Palo Alto Networks in a report. APT groups often aim to gain undetected access to a network, establishing a backdoor and stealing data.
Advanced threats
APT41 and APT27 are the oldest and most dangerous active groups, capable of compromising a country’s security through unusual malware tools, South Asia’s Leading Multimedia news agency reported.
In 2020, APT41 hacked into computers of hundreds of companies and organizations worldwide, including software development companies, computer hardware manufacturers, telecommunications providers, social networking companies, universities, and governments, the U.S. Department of Justice said.
It also stole U.S. COVID relief benefits worth tens of millions of dollars between 2020 and 2022, Reuters reported. APT26, focuses on the aerospace, defense, and energy sectors, Asia’s Leading reported. In 2022, APT27 threatened to conduct a special cyber operation against Taiwan.
“It is likely that these Chinese groups are already inside various [public and private] organizations in Latin America surveilling and spying, unbeknown to the organizations. These groups can spend years inside an organization, to extract information and steal data without being detected,” Ruiz said.
Cybersecurity culture
To confront these Chinese groups, “the United States should sign agreements with Latin American countries to make sure that the region is protected, especially when there are countries that have certain security and defense agreements with Russia and China,” Ruiz said.
Collaboration, communication, and cooperation between countries, organizations, and companies must be strengthened to face Chinese, Russian, or any other hacker group attacks. “Cybercriminals are doing it,” Ruiz said. “We need to work on a much stronger cybersecurity culture,” he concluded.