Hackers have attempted to steal information from Chinese government employees by faking email login pages for several high profile agencies and state-owned enterprises, cybersecurity researchers say.
Why it matters: The apparent espionage attempt may be linked to an advanced persistent threat (APT) group, an organization that accesses private information for a prolonged period while remaining undetected. The offensive began as early as the second half of 2018.
- The hackers targeted China’s Ministry of Foreign Affairs, state planner the National Development and Reform Commission, and the Ministry of Commerce, among others.
“By stealing email credentials, and accessing internal email content, it would be possible to gain insight into what decisions are being made within the target organization and could lead to the theft of sensitive information.”
—Cybersecurity researchers said in a report published on Thursday
Details: US-based cybersecurity firm Anomali said that hackers impersonated websites to trick employees from government agencies and state-owned firms to log in to the spoof services, thereby giving up their email usernames and passwords.
- The attack involved more than 40 internet domains and subdomains. All of the sites had validation certificates from Let’s Encrypt, a service that provides free encryption certificates to domain owners. Owners are required to prove control over a domain to have the certificate issued.
- All of the subdomains had a similar naming structure, the researchers said.
- The closely related validation certificates and naming structures led to the researchers to believe that the spoof websites are linked to one group.
- Chinese cybersecurity firm 360 in May linked one of the domains to a Southeast Asian (SEA) APT group dubbed Bitter. Anomali researchers said in their report that they expect Bitter to continue targeting the Chinese government by using spoofed login pages to access privileged information.
- In addition to government agencies, hackers targeted aviation firm China National Aero-Technology Import and Export Corporation and five other state-owned enterprises.
Context: APT groups are garnering increased amounts of attention around the world, according to China’ s National Computer Network Emergency Response Technical Team (CN-CERT), a cybersecurity center affiliated with the government.
- The organization said that the number of public research reports about ATP groups increased by almost 360% year-on-year in 2018.
- While Bitter targets China, Chinese state hackers are looking at SEA. APT40, which has an affinity for going after countries important to China’s controversial Belt and Road Initiative, is showing increased interest in SEA.