As per a series of conversations intercepted by Sectrio’s threat research team from various forums, China is learned to have identified Beijing-based APT 41 and Haikou, Hainan-based APT 40 as nodal cyber offense teams to initiate revenge attacks against many countries. Through these attacks, China may try to gain control over the narrative that has emerged in wake of the recent revelation of a large data breach that has impacted over a billion Chinese citizens.
Who are the Chinese APT groups targeting?
These attacks may primarily be aimed against countries with whom China has had an uneasy relationship in the past. It could also include a few other countries to enhance the magnitude of the breach and to bring in an element of plausible deniability.
Understanding the Shanghai Police data leak incident
It may be remembered that in one of these most expansive breaches reported so far, the data belonging to nearly a billion Chinese citizens was breached some time ago. The 23 TB of data, a sample of which was released online, belonging to the Shanghai police department includes names, phone numbers, government ID, and law enforcement reports of citizens. An extortion attempt was made and hackers who asked the Police department to pay $200,000 to prevent the data from being leaked to a wider audience. China is known to keep massive amounts of data concerning its citizens and persons of interest from around the world in databases with various levels of security. In this instance, it is claimed that while the database was protected, a dashboard linked to the database was not.
Also read: How to get started with OT security
On Friday, the site where the data was put for sale removed the post advertising the data for sale. The site however indicated that it has other databases that it is willing to sell to prospective buyers.
The scale of the breach left many questions unanswered primarily regarding the security of information collected by the government. While it has not made any direct references to the breach, China did ask all public bodies and citizen information managers to secure all information submitted to the government so that people and businesses feel safe while sharing their data with the government of China or public bodies under it. In addition to increasing confidence in the government’s ability to securely harvest and store data, China is also getting ready to go on the offensive to prove that such breaches can happen to the citizens of any country. This will also help China downplay the gravity of the original event while offering Chinese social platforms a convenient diversionary topic to discuss.
China is planning to launch new ransomware families and multi-loader malware for this operation. The designated APT groups identified for this breach campaign are APT 40 and 41. APT 40 also goes by monikers BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper. In the past, it has targeted government agencies, healthcare facilities, AI-based projects and even scientific research.
APT 40 is no stranger to harvesting stolen data and is known to maintain a long-term reconnaissance presence extending to many victims in countries considered to be adversaries by the PRC government. This also includes friendly countries that have signed up for the Belt and Road initiative and nations that have received aid from China in one form or another.
APT 40 actors often employ non-malicious tools in non-standard folders as part of an attack. Thus, if the location of a non-malicious tool is found to be non-standard, the tool becomes an IOC for a breach. The malware libraries used by APT 40 are often shared with other Chinese APT groups. Post-breach data is also shared with other groups as a standard practice.
Beijing-based APT 41 AKA Double Dragon Barium, Winnti, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie, Blackfly) is known to have links with the Chinese Ministry of State Security (MSS). Between 2021 and the early months of 2022, this group is known to have conducted extensive operations against the governments of the US, Canada, a few NATO member states, and the UK. This group is known to have multiple breach tactics in its inventory and is hard to detect.
This group also has the capacity to modify a malware post-injection to work in conjunction with the host environment and adapt to any changes that the victim may make to their networks.
Both these groups are well versed in large-scale data harvesting, processing, and transfer of data and are known to be among the most stealthy APT groups in China. This is why China has chosen them to carry out a series of revenge attacks across many countries. These attacks could occur as early as this month as China seeks to bury the Shanghai Police leak episode. The speed with which these actors were assigned to this project indicates a sense of urgency.
- Possible campaign window: July – September
- Campaign objectives – massive data theft and leaks on public forums. Some of the attacks may be disguised as ransom attacks. Expect large-scale publicity for these attacks and data leaks. These actors may try and embarrass multiple governments using the leaked data
- Tactics: large-scale scans followed by targeted phishing attacks. Use of previously stolen user credentials to gain entry into main networks and databases
- Likely targets: citizen databases, national ID registries, large employers storing large employee databases, government healthcare projects, large defense contractors
Learn more about these actors in our 2022 IoT and OT Threat Landscape Assessment Report
Go for a complete threat assessment program now to learn about the threats lurking in your network
Learn more about Key Advanced Persistent Threat (APT) Clusters Under Observation explained by Prayukth K V, Speaker & Published Author cybersecurity, CMO, Sectrio, the market leader in IoT, OT & IT Security.