Global Cyber Espionage Campaign Discovered
The investigation named “Operation Wocao” (我操, “Wǒ cāo” in Chinese, slang for “shit” or “damn”) took place over a span of almost two years. Dutch security researchers say all evidence points at a shadowy Chinese hacking group called APT20, which is likely working in the interests of the Chinese government. Fox-IT discovered the group’s hacking campaign in the summer of 2018, while carrying out an analysis of compromised computer systems for one of its clients. They were able to follow the trail and uncovered dozens of similar attacks that had been carried out by the same group. In a lengthy report, the Dutch explain that “Very little is publicly known or published about the actor that we describe, but rather than giving this actor an alias of our own, we chose to reach out to industry partners. This helped us attribute some of the previously unpublished techniques and tools in this report, with medium confidence, to a Chinese threat actor known as APT20. Based on the observed victims of this actor we also assess that this threat actor is likely working in the interest of the Chinese government.”
The Aim is Not Money, but Knowledge
The hackers do not steal money or install ransomware. They are purely looking for business-sensitive information and knowledge, something that the Chinese government in particular would be interested in. Exactly how much data the attackers have managed to harvest in the past few years cannot be ascertained. What is known, is that between 2009 and 2014, APT20 (also known as Violin Panda and th3bug) has been associated with hacking campaigns targeting universities, the military, health care organizations and telecommunications companies. According to Fox-IT, the Chinese hacking group went dormant for several years. However, it has recently resurfaced and has quietly being targeting companies and government agencies.
Some Novel Techniques Used
The report provides an overview of the techniques the Dutch security researchers know APT20 uses. The initial point of access is usually a vulnerable or already compromised webserver. Once inside, the hackers move through the network using well-known methods. Eventually, they can use stolen credentials to access the victim’s network through corporate VPN. In one case, the hacker group was even able to circumvent a form of two-factor authentication intended to prevent such attacks. To do so, the hackers developed a technique to retrieve the 2 factor codes to connect to the company’s VPN server and give themselves permission to log in. Other custom-made tools were also discovered. Next, the hackers used several backdoor and open source tools to infiltrate further into the network to manually identify and collect information. After downloading the data, all traces were wiped to hinder an in-depth forensic investigation, and the backdoor was closed.
Numerous Victims Across the Globe
Fox-IT does not want to mention the names of victims. But the Dutch did give a list of sectors in which APT20 are active. Among the victims are aviation companies, construction companies, the energy sector, financial institutions, health care organizations, offshore engineering companies, software developers and transportation companies. Countries affected included Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the US and the UK.
Several Mistakes the Chinese Hacking Group Made
During their espionage work, the hackers made several mistakes, leaving behind “fingerprints”. For example,
There were some leaked language settings, indicating that the hackers were running a browser with a Chinese language setting. When registering a rented server, the hackers provided a non-existent US address, but inadvertently wrote the name of the state of Louisiana in Chinese characters. At one point, the hackers used a code that could only be found on a Chinese forum.
After a while, the Dutch security researchers also began to notice that the hackers strictly adhered to Chinese office hours. The name of Fox-IT’s investigation “Operation Wocao”, was one of the commands executed by the hackers in a frustrated attempt to access deleted webshells, after Fox-IT reversed the digital break-in.