Search This Blog

Showing posts with label China. Show all posts

The Council of the EU and Its First-Ever Sanctions against Persons or Entities Involved in Various Cyber-Attacks



The Council of the European Union imposed its first-ever sanction against persons or entities engaged with different cyber-attacks focusing on European citizens and its member states. 

The sanctions imposed include a ban for people traveling to any EU nations and a freeze of assets on persons and entities. 

The order has been issued against six individuals and three entities liable for or associated with different cyber-attacks. Out of the six individuals sanctioned they include two Chinese citizens and four Russian nationals. 

The companies associated with carrying out these cyber-attacks incorporate an export firm situated in North Korea, and technology companies from China and Russia.

The entities responsible for or engaged with different cyber-attacks incorporate some publicly referred to ones as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper,' just as an endeavored cyber-attack against the organization for the prohibition of chemical weapons.




As per the European Council, the detailed of these persons or entities are: 

 1. Two Chinese Individuals—Gao Qiang and Zhang Shilong—and a technology firm, named Tianjin Huaying Haitai Science and Technology Development Co. Ltd, for the Operation Cloud Hopper. 

 2. Four Russian nationals (also wanted by the FBI) — Alexey Valeryevich, Aleksei Sergeyvich, Evgenii Mikhaylovich, and Oleg Mikhaylovich—for attempting to target the Organisation for the Prohibition of Chemical Weapons (OPCW), in the Netherlands. 

 3. A Russian technology firm (exposed by the NSA) — Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation—for the NotPetya ransomware attack in 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. 

 4. A North Korean export firm — Chosun Expo, for the WannaCry ransomware attack that made havoc by disrupting information systems worldwide in 2017 and linked to the well-known Lazarus group. 

The Council says, “Sanctions are one of the options available in the EU's cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool." 

As indicated by the European Union, the two Chinese nationals who carried out Operation Cloud Hopper are members from the APT10 threat actor group, otherwise called 'Red Apollo,' 'Stone Panda,' 'MenuPass' and 'Potassium.' 

On the other hand, the four Russian nationals were agents of the Russian Intelligence agency GRU who once expected to hack into the Wi-Fi network of the OPCW, which, if effective, would have permitted them to compromise the OPCW's on-going investigatory work.

Gothic Panda and Stone Panda: Chinese Hackers that Launched Mass Cyber Attacks on Indian Companies


Two Hacking groups from China named Gothic Panda and Stone Panda have been identified for organizing the majority of the cyber attacks on Indian companies in June 2020. Mumbai Mirror reported was the first to know about the incident. On 20th June, it published a report on its website regarding the issue. As per the cybersecurity experts, the word is that both the hacking groups are likely to work independently and not state-sponsored; however, they work in the interests of the Chinese government. According to experts, an anonymous source said that the attacks were launched under the disguise of VPN and Proxy Servers. After investigation, the attacks led us to Gothic Panda and State Panda, say the officials.

Chinese hackers launched more than 40,000 attacks. The hackers had used some unique malware to gain confidential data of the companies and later used the information for extortion. According to the reports, the hackers broke into at least six private/public companies' safety procedures. These include a government-regulated organization in Jammu and Kashmir and companies operating in New Delhi and Mumbai. The attacks were traced back to Souther Western Chinese province named Sichuan. These players also attempted to take down websites linked to companies that were involved in banking and finance.

The hackers used DDoS attacks (Distributed Denial of Service) and Internet Protocol Hijack. Experts say that these attacks, also called 'Probes,' look for vulnerabilities in a website's security features. In an incident where the hackers were able to crash the website, the home page was modified, and the content was changed with a foreign language. Experts say that there were no other successful probes except this incident.

In a DDoS attack, the hacker tries to rupture a cyber network, such as a website. For example, if a website page's utility provider's limit is 5000 requests/second, the hackers will pile it up with 5,00,000 requests/second and crash the website. Whereas in an Internet Protocol Hijack, the hacker tries to divert the course of traffic. In this case, the internet traffic was diverted through China for surveillance purposes.

Experts Discover Backdoor Malware in Chinese Tax Softwares named "GoldenHelper"


Trustwave has found a new malware (backdoor) named GoldenHelper. The malware is encoded in Golden Tax Invoice Software. It's under the Golden Tax Project of China's government, and its function is issue invoice and adds VAT (Value Added Tax). In June, experts had also discovered another malware named GoldenSpy. The backdoor malware was embedded within tax softwares that the Chinese companies had to install, to work in the financial sector. The backdoor malware GoldenHelper is entirely distinct from GoldenSpy.


However, both the malware function in a similar way. The backdoor malware gains entry into the international company's network operating in China to steal information. The GoldenHelper campaign distribution was active between January 2018 to July 2019 (the operations ceased to exist after January 2020). It should be noted that the GoldenSpy campaign also became active in April 2020.

The malware uses intelligent techniques to cover its usage activity when it's in function. Popular methods include using arbitrary files pattern, systems locations, and names while in transition. "The Golden Tax Project is a national program in China, impacting every business operating in China. We are currently aware of only two organizations authorized to produce Golden Tax software, Aisino, and Baiwang. This is now the second Golden Tax software package that Trustwave SpiderLabs has found to contain a hidden backdoor capable of remotely executing arbitrary code with SYSTEM level privileges," says Trustwave in its report. 

About GoldenHelper's Activity 

  • It doesn't ask user permission to gain access (UAC Bypass) 
  • Obfuscation- Randomization of file names 
  • Timestomping- Randomization while generating timestamps of "creation" and "last write." 
  • Arbitrarily downloads executable using fake file names. 

"During our investigation, we have been informed that the Golden Tax software may be deployed in your environment as a stand-alone system provided by the bank. Several individuals report receiving an actual Windows 7 computer (Home edition) with this Golden Tax software (and GoldenHelper) preinstalled and ready to use. This deployment mechanism is an interesting physical manifestation of a trojan horse," says Trustwave in a report published on its website.

Golang: A Cryptomining Malware that Maybe Targetting Your PC


Cybersecurity experts at Barracuda Networks have discovered a unique kind of crypto mining malware called "Golang." The malware can attack Windows as well as Linux systems, according to the experts. This latest malware is targeting Monero cryptocurrency with the help of Xmrig, a popular miner. The number of attacks related to the malware may be relatively low, but the cybersecurity experts have discovered 7 IP addresses associated with this malware, all originating from China.


The experts also observed that the Golang malware's primary targets are non-HTTP features like MSSQL and Redis, app servers, web apps frameworks, whereas easy to attack targets like end-users are safe. If we look back into the issue, we will find that the earlier versions of Golang only affected the Linux systems; however, the present version targets Windows and the former. The attacks are carried out using various exploits such as IoT devices, Hadoop, Drupal, ElasticSearch, and Oracle Weblogic. For instance, in a recent malware attack in China, the malware used exploits that targeted ThinkPHP app frameworks widely used in the country.

According to the experts, the Golang malware is capable of evolving every day and using more exploits as each day passes by. Golang malware works by infiltrating the system, and once it does, it uses required files to complete the task. These may include downloaded update scripts, configuration files, scanner, and a miner. It all depends on the type of platform. Whereas, when attacking Windows, the hackers can use backdoors too. In recent times, more and more hackers have shifted towards using Golang as it can't be identified by anti-virus software.

The malware is infamous for targeting vulnerable servers, making it accessible among cybercriminals looking for vulnerabilities to exploit. The only way to be safe from this malware is to keep track of the CPU usage activity (when it goes unusually high) and observe any suspicious activity at the endpoints. Any threat, similar to the likes of Golang, can be avoided by vigilante inspections and immediate responses. Awareness about crypto mining threats is also a must.

China and Digital Currency : multifaceted advantages or a surveillance and tracking juncture?


People’s Bank of China (PBoC), China's central bank issued a public notice on April 29, 2020, “In order to implement the FinTech Development Plan (2019-2021), the People’s Bank of China has explored approaches to designing an inclusive, prudent and flexible trial-and-error mechanism. In December 2019, a pilot programme was launched in Beijing. To intensively advance the trial work of fintech innovation regulation, the PBoC supports the expansion of the pilot program to cover the cities of Shanghai, Chongqing, Shenzhen, Hangzhou, Suzhou, as well as Xiong’an New Area of Hebei, by guiding licensed financial institutions and tech companies to apply for an innovation test.”

After five years in making China's digital yuan is ready to be made public. While the world is battling Corona and settling the blame over China, the republic pushes out China’s central bank digital currency (CBDC), Christened Digital Currency Electronic Payment (DCEP) will be made available via mobile wallets. This new digital cash values the  same as yuan and if this experiment succeeds than China will be the first sovereign that uses crypto.

Cryptocurrency has been received skeptically by the whole world but the case is quite the opposite in China. After 2015-16, Chinese investors became intrigued by ether,and Bitcoin became a popular alternative asset.

"China has emerged as the capital of the crypto ecosystem, accounting for nearly 90% of trading volumes and hosting" The Hindu reports.

Outside China, people are dwelling if the digital yuan will takeover the dollar, as this stroke by the  People’s Republic will forever change the trading way.

Advantage or Surveillance? 

Beijing gives a mundane explanation for circulating digital yuan as a way to control shadow banking and other risks.
Digital Currency will pave multifaceted advantages like combating tax evasions and money laundering. Also, paper currency consumes around 2% of the GDP. It will also help in financial inclusions and direct benefit transfer especially in emergencies. Overall, the digital currency will speed up transactions and also ease international trade.

But, this crypto retail system would not be cryptic and the anonymity of cash will disappear. Authorities can very well look into transactions for illegal and unwanted activities. The rising state of surveillance has questioned citizen privacy as physical contact tracing and now financial tracing becomes the new normal.

Hackers Use Backdoor to Infiltrate Governments and Companies, Motive, not Money.


According to findings by cybersecurity firms Avast and ESET, an APT (Advanced Persistent Threat) cyberattack targeted companies and government authorities in Central Asia, using backdoors to gain entry into company networks for a long period. The targets involved telecom companies, gas agencies, and one government body in Central Asia. APT attacks, unlike other cyberattacks, don't work for money profits but have different motives.


According to cybersecurity experts, APT attacks are state-sponsored, and their purpose is to get intel on politics and inside information, not money. According to research findings, the hackers responsible for the APT attack in Central Asia is a group from China that uses RAT (Remote Access Tools). The attack was not their first, as experts believe that the same group was responsible for the 2017 cyberattacks against the Russian military and the Belarusian government.

APT attacks remain lowkey 

Unlike ransomware attacks that are famous for infiltrating the company networks, involving some top IT companies, the APT actors like to stay out of the radar and remain unnoticed. The motive of these attacks is not blackmail by having sensitive information. These attacks aim to remain unnoticed for as long as possible, as it allows hackers to have access to the company's network and data. Experts say that they currently don't have substantial evidence about the data that was deleted or manipulated. After the attack, the hackers part away as to avoid any suspicion or identification. Confidential info like Espionage, government policies, and trade, is what these hackers are after.

The cyberattacks are on the rise due to people working from home, giving opportunities to hackers. It has been very tough to protect users from malware attacks in the current times, due to millions of malware. The reason is the COVID-19 pandemic, and the best chance to stay safe from hackers is to be on alert after the pandemic ends. Users should check every link they get, before opening it or passing it to someone else. People working from home should keep their systems and device updated, along with the applications.

Residents in China under Surveillance amid the Coronavirus Pandemic


According to recent reports, China is alleged for surveilling its residents' homes among the coronavirus epidemic. However, there is no official rule that says China can keep quarantined residents under watch. The incident has been happening since February in China, where few residents have reported cases of security camera equipped right in front of their homes. Three people have already informed of this incident, whereas other similar cases have appeared on social media.


Currently, China doesn't have any national law that allows it to watch its people through surveillance cameras, but still, the cameras are equipped in various public areas in China. According to sources, the authorities are continually keeping a watch on people, whether they are in malls, eating in a restaurant, boarding transport, or even in schools and colleges. According to data by CNN, around 20 Million cameras were installed across china in the year 2020, and this is only a rough estimate. According to some other sources, the numbers can go even higher. As per the reports of IHS Markit Technology, which currently works under Informa Tech, China had around 350 Million surveillance cameras installed in the year 2018, which is five times than of the USA.

What will happen by 2021? 

According to the data, the projection suggests that by the year 2021, China will have equipped six times more surveillance cameras than the US. According to Comparitech, a UK based research organization, "Estimates vary on the number of CCTV cameras in China, but reports range from 200 million up to 626 million in use by 2020. Based on the country's current population of 1.4 billion people, that would mean nearly one camera for every two people. Although this projection might seem vast, it may be a fraction of the actual number."

In the present times, however, the COVID-19 pandemic has triggered the Chinese authorities to keep a watch on its residents' private life. According to these residents, it is a complete breach of privacy. Knowing that this issue might appear, the Joint Civil Society issued a statement earlier this month that said, "the COVID-19 pandemic is a global public health emergency that requires a coordinated and large-scale response by governments worldwide. However, States' efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance."

BGP Hijacking Attacks Google, Amazon and Other Famous Networks' Traffic!


As per reports, a telecommunication provider that is owned by Russia rerouted traffic which was intended for the most imminent Content Delivery Networks (CDNs) and cloud host providers of the globe.

The entire re-direction kept on for around an hour during which it affected over 8,500 traffic routes of the internet. The concerned organizations happen to be few of the most celebrated ones.

Per sources, the brands range across well-known names like Cloudflare, Digital Ocean, Linode, Google, Joyent, Facebook, LeaseWeb, Amazon, GoDaddy, and Hetzner.

Reportedly, all the signs of this attack indicate towards its being a case of hijacking the Border Gateway Protocol, also known as, BGP hijacking. It is the illegitimate takeover of IP prefixes by a hijacker to redirect traffic.

This gives a lot of power in the hands of the hijacker because they could at any time “publish an announcement” stating that the servers of a particular company are on their network. As a result of which all of e.g. Amazon’s traffic would end up on the hijacker’s servers.

In earlier times when Hypertext Transfer Protocol wasn’t as widely used to encrypt traffic, BGP hijacking was a lucrative way to carry Man-in-the-Middle (MitM) attacks and catch and modify traffic.

But in recent times, analysis and decryption of traffic later in time has become easier because of BGP hijacking, as the encryption gets weaker with time.

This predicament isn’t of a new kind. It has been troubling the cyber-world for a couple of decades, mainly because they aim at boosting the BGP’s security. Despite working on several projects there hasn’t been much advancement in improving the protocol to face them.

Google’s network has been a victim of BGP hijacking by a Nigerian entity before. Researchers mention that it is not necessary for a BGP hijacking to be malicious.

Reportedly, “mistyping the ASN” (Autonomous System Number) is one of the other main reasons behind a BGP hijacking, as it is the code via which internet units are recognized and ends up accidentally redirecting traffic.

Per sources, China Telecom stands among the top entities that have committed BGP hijacking, not so “accidentally”. Another famous one on a similar front is “Rostelecom”.

The last time Rostelecom seized a lot of attention was when the most gigantic of financial players were victimized by BGP hijacking including HSBC, Visa, and MasterCard to name a few.

The last time, BGPMon didn’t have much to say however this time, Russian Telecom is in a questionable state, per sources. They also mention that it is possible for the hijack to have occurred following the accidental exposure of the wrong BGP network by an internal Rostelecom traffic shaping system.

Things took a steep turn when reportedly, Rostelecom’s upstream providers re-publicized the freshly declared BGP routes all across the web aggravating the hijack massively.

Per researchers, it is quite a difficult task to say for sure if a BGP hijacking was intentional of accidental. All that could be said is that the parties involved in the hijack make the situation suspicious.

Betting and Gambling Websites under Cyberattack from Chinese Hackers


Since last year's summers, Chinese hackers have been targeting South Asian companies that own online gambling and betting websites. The gambling companies in South Asia have confirmed the hacks, whereas rumors of cyberattacks on betting websites have also emerged from Europe, and the Middle East, however, the rumors are yet to confirm, says the reports of cybersecurity group Trend Micro and Talent-Jump. Cybersecurity experts claim that no money was stolen in these hacks against the gambling websites. However, hackers have stolen source codes and databases. The motive of the attack was not a cybercrime, but rather espionage intended attack to gain intelligence.


According to the experts, a group named 'DRBControl' is responsible for the cyberattack. According to the reports of Trend Micro, the hacking techniques used in this particular cyberattack incident is similar to methods done by Emissary Panda and Winnti. All of these hacking groups are from China that has launched cyberattack campaigns in the benefits of the Chinese state. As of now, it is not confirmed whether DRBControl is launching these cyberattacks in the interests of the Chinese government. According to the cybersecurity group FireEye, not all the attacks have been state-sponsored, as a side business, hackers have been launching these attacks for profits and money.

How did the attacks happen?

The techniques used by DRBControl is not very uncommon or unique. Rather, the attacking techniques used to target victims and steal their data were pretty simple. The hackers send phishing emails that contain backdoor entries malware, and if the user is lured into opening these mails, the system gets infected with backdoor Trojans. However, these backdoor Trojans are not the same as the others.

This kind of Trojan relies on Dropbox file service for hosting and sharing to be used as C&C (control-and-command), to store stolen data and 2nd level payloads. Hence the name, DropBox Control. The Chinese hackers usually use the backdoor Trojans to install other hacking malware and tools so that they can roam through the network and trace the path to the source codes and databases to steal the user data.

Apple Becomes the First Major US Company to Say that the ‘Corona’ Epidemic Will Hit Its Finances



The iPhone maker cautions that disturbance in China from the coronavirus will result in revenues falling short of forecasts'. Underscoring the fact that production and sales were influenced, Apple says that "worldwide iPhone supply would be temporarily constrained". 

Sales of Apple products would be lower, bearing in mind that most stores in China are either closed or operating at reduced hours, the company says, "while our iPhone manufacturing partner sites are located outside the Hubei province - and while all of these facilities have reopened - they are ramping up more slowly than we had anticipated.” 

 "All of our stores in China and many of our partner stores have been closed," it added. "Additionally, stores that are open have been operating at reduced hours and with very low customer traffic. We are gradually reopening our retail stores and will continue to do so as steadily and safely as we can."

Experts have assessed that the virus may contribute towards the reduction in the demand for smartphones significantly in the first quarter in China, the world's biggest market for gadgets. 
The car industry is yet another sector that has been influenced by disturbance to its supply chain. 

A week ago, the heavy equipment manufacturer JCB said it was cutting production in the UK because of a shortage of components from China. Wedbush analyst Daniel Ives wrote in a note to customers, "While we have discussed a negative iPhone impact from the coronavirus over the past few weeks, the magnitude of this impact to miss its revenue guidance midway through February is clearly worse than feared," 

New virus cases outside the 'epicenter area’ has been declining throughout the previous 13 days. There were 115 new cases outside Hubei reported on Monday, sharply down from about 450 a week back. In any case, regardless of expectations that factories and shops are slowly easing back to normal, Apple's warning, however, will underline that China's economy will be greatly influenced by the coronavirus.

America Vs China! The USA Alleges Huawei to be a Technology Thief and Spy for China?


In view of recent reports, China and the US have taken their technology war to court. Now, the US firms allege that the telecom colossus, Huawei has been planning to rip them off of their technology for “decades”.

Hence, the American organizations decided to expand the premises of their lawsuit against the Chinese mega-company.

The prosecuting attorney mentioned that Huawei did indeed violate the terms of the contract with the companies of the US by stealing robot technology, trade secrets and such.

Per sources, Huawei has straightaway denied all the allegations and has cited that the US is merely threatened by the competition and hence are trying to run down the name of Huawei.

Per newspaper reports, the mega smartphone maker’s chief financial officer and the founder’s daughter are held captive in Canada, struggling against extradition.

According to sources, there are charges of fraud and “sanctions violations” on the founder’s daughter, which she has waved off and denied.

Huawei pretty strong-headedly is maintaining that this lawsuit and the charges on the company are trivial attempts at tarnishing the reputation of their company and attempts at depleting stakes of competition.

Per reports, the fresh accusations of the US against Huawei include trade secret embezzlement, racketeering and even sending spies to obtain confidential information.

Sources reveal, that the persecution attorney also said that Huawei with its stolen data cut both times and cost in the research and development for the company which helped it climb the steps faster than the others.

Per Huawei, the newer charges are just another way of bringing up older claims. Nevertheless, it doesn’t look like the US plan to withdraw their claims or the lawsuit in the near future or at all.

This technological rift has a strong possibility of transforming into a political dispute between America and China. The US is forcing countries like the UK to pull back their support from Huawei, continuing to say that the equipment could be used by China for spying.

Relations between China and the US are down a very flimsy and unpredictable road. All the same, the UK still continues its business ties with Huawei but with possible limits.

China Alleges India for Cyber-attacks Amid the Coronavirus Outbreak. Demands International Cooperation.


China, who is currently battling against the deadly coronavirus epidemic said last Friday that it needs international support from countries across as it is in the midst of an 'exceptional' and 'full-on war' against the deadly virus. The statement arrived after reports of local media claimed that cybercriminals from India had attacked the Chinese hospitals during the coronavirus epidemic. "It appears that Indian hackers had attacked regional health institutes and Chinese hospitals while China was busy fighting the coronavirus epidemic," said a Chinese cybersecurity firm in a statement.


"We have proof that hackers from India attacked Chinese health institutes using 'phishing' e-mails technique," said 360 Technology, a Chinese tech company, in a conversation with a national newspaper, Global Times. In acknowledgment of the comments made, the foreign ministry of China said: "We have to come to this conclusion after considering various reports of local media." "A country which is strictly opposed to cyber hacking of any kind, China, a significant cybersecurity nation, has currently become a victim of hacking," said Hua Chunying, spokesperson, Foreign Ministry of China, last Friday, without mentioning India in the statement.

"It is in these times of misery, that we believe all the countries across the globe should come together as one to fight against this major problem of cyber attacks and hacking. It is only after this would we be able to maintain a safe, secure and helpful cyber world," said Chunying via an e-press conference. She further says: "It is a matter of great concern for China as we are currently amid a crisis of battling a deadly epidemic. Witnessing the current public health emergency, the nations should cooperate to battle this issue."

"Indian hackers have been launching APTs (Advanced Persistent Threat) and attacking Chinese health institutes by sending phishing e-mail schemes," said the company to Global Times. "A suspected group of hackers from India named 'Bitter' have launched APT cyberattacks since March 2019, targeting the Chinese health institutes and research centers, and also the Ministry of Foreign Affairs," said an opinion column from Global Times.

Chinese Origin Threat Group Targets Hong Kong Universities with New Backdoor Variant




The Winnti, a China-linked threat group that has been active in the cyberspace since 2009 was found to be employing a new variant of the ShadowPad backdoor (group's new flagship tool) in the recent attacks where it compromised computer systems at two Hong Kong universities during the protests that began around March 2019 in Hong Kong.

The threat group of Chinese origins has largely targeted the gaming industry, while constantly expanding the scope of its targets. Various reports suggest Winnti being operated in link with some other groups including APT17, Ke3chang Axiom, Wicked Panda, BARIUM, LEAD, DeputyDog, Gref, and PlayfullDragon.

According to other sources available, Kaspersky was the first to identify the Winnti group but some researchers attribute its existence to the year 2007.

In October 2019, security researchers at ESET spotted two new backdoors used by the group – Microsoft SQL-targeting skip-2.0 and PortReuse. Later, the same year in November, ESET researchers discovered samples of ShadowPad Launcher Malware on various devices in the two universities. The Winnti was found to be present on these universities' systems a few weeks before the backdoor was confirmed.

“In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules.” as per the analysis done by ESET.

“One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.” reads the report.

“From this format, we were able to find several C&C URLs, including three additional Hong Kong universities’ names. The campaign identifiers found in the samples we’ve analyzed match the subdomain part of the C&C server, showing that these samples were really targeted against these universities.”

Another Chinese state-sponsored hacking groups discovered - would be the fourth one to be found


A group of cyber security analyst, Intrusion Truth have found their fourth Chinese state-sponsored hacking operation APT 40.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
APT stands for Advanced Persistent Threat and is used to describe government supported and sponsored hacking groups. 

Intrusion Truth has previously exposed three government supported APTs, APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),  they have now doxed APT40, China's cyber apparatus in the state of Hainan, an island in the South China Sea.

In a blog post, they said they've discovered 13 companies that serve as a front for APT activists. These companies use offline details, overlapping contacts and no online presence except to recruit cyber experts. 

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defense, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they further said. 

APT40 RECRUITMENT MANAGED BY A PROFESSOR

Intrusion Truth was able to link all these companies mentioned above to a single person, a professor in the Information Security Department at the Hainan University.

One of the 13 companies was even headquartered at the university's library. This professor was also a former member of China's military. 

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.Intrusion Truth are pretty credible and have a good track record, US authorities have investigated  two of their three APT expose. 

122 Chinese Men Detained in Nepal on Charges of Cyber-crime and Bank Fraud


KATHMANDU: Nepal police on Tuesday detained 122 Chinese men and women in what seems like the biggest crime gig by foreigners. A police officer, Hobindra Bogati, said the Chinese embassy was aware of the raids and have fully supported the detentions. The chief of police of capital Kathmandu stated that the suspects were raided on Monday when the police got info that some Chinese visa holding foreigners were engaged in suspicious activity. The police chief, Uttam Subedi said, “This is the first time that so many foreigners have been detained for suspected criminal activities."


These people were suspected of various cyber crimes like hacking into bank cash machines and more. These 122 men and women are held in different police stations with their passports and laptops confiscated. Another police officer, Hobindra Bogati, told that the Chinese embassy in Nepal was aware of the raids and have fully supported the detentions. Chinese Foreign Ministry spokesman Geng Shuang, in Beijing, said Nepal and Chinese police have agreed to be cooperative in the investigations and China is willing to increase law-enforcement cooperation with its neighbor.

Chinese people in recent times are increasingly being detained in Asian countries on suspicions of fraud and other illegal activities. In the Philippines last week, 342 Chinese workers were arrested, caught in an unlicensed gambling operation. Some Chinese citizens were also arrested smuggling gold while in September, five were arrested for stealing money from bank cash machines. Even though the rate of criminal activities by the Chinese in Nepal is at a high rate, the state affairs between the two countries couldn't have been better.

China has increased FDI in Nepal in recent years, working on the development of roads, power plants, and hospitals. More than 134,000 Chinese tourists visited Nepal between January and October this year, up 9.2 percent from the same period in 2018, according to Nepal Tourism Board data. During a visit to Nepal by President Xi Jinping in October, Nepal and China signed a treaty to work together and provide mutual assistance on criminal matters.

Businesses over Various Countries become Victims of Threat 'APT20'


An Advanced Persistent Threat (APT) player expected to work from China from the last 2 years is silently targeting companies in the US and throughout the world in complete surveillance operations. Amongst its many targets are businesses in the flight, architecture, service, banking, health, transport businesses, and more, over 10 nations, including the United States, United Kingdom, Germany, China, and France. The threat is known as APT20, according to a report from Fox-It. "We say with great certainty that the threat is from a group from China and, it is probably supporting the interests of the Chinese government with stealing data for surveillance aim," says Fox-IT in a statement.


Fox-IT's report of APT reveals that in a few events, the hackers gained primary entrance to a target's system through a weak Network. Usually, the servers by which APT20 gained access had already jeopardized in an unrelated earlier intervention and had Network pods put upon them. APT20 utilized those Network pods for primary parallel mobility and surveillances. The group's other methods for getting primary entrance involve the use of phishing e-mails and corrupt movable media accessories. Similar to several different threats,

APT20's plan after getting a primary space is to attempt and collect and use entrance information of vested profiles, like those relating to businesses and domains manager. The organization has also used the administrator account to obtain the target system via its own Virtual Private Network (VPN). Fox-IT further says- Our research reveals that the threat uses a variety of design devices and legal assistance in its surveillance. Amongst the designing tools, it works on is one that gets data on software, public links. APT20 uses various tools for the attacks, some of which are: PowerShell, External Remote Services, Command-Line Interface, and WMI (Windows Management Instrumentation) and WAS (Windows Admin Shares).

The tools used by APT20 are authentic in all phases of the intervention series, from primary entrance and performance to exclusive acceleration and parallel flow, to endurance, support dodging, compilation, and filtration. The data on the attacks shows organs of the threat APT20 are most probably from China, that usually works for 8 hours every day, except the weekends.

Cyber-War Exercise held between US and Taiwan


In a cyber-war event that has been going for a week now, the Taiwanese executives are getting hit by phony emails and messages as a part of it. The event is said to be one of its kind. As a part of the cyber-war training between Taiwan and America, the local authority (of Taiwan) is co-directing the cyber drill with the American Institute in Taiwan (AIT), which also represents the US interests in Taiwan. "The foremost is attention is on threats professed by 'North Korea and other countries' that are responsible for the attack," says AIT in a statement.


On the contrary, Taiwan says that a vast number of cyber-attacks that it suffers come from China. "It is like fighting combat when we are dealing with attacks like these," said a Taiwanese official earlier this month. The cyber-war drills are to take place on Friday, which will try to break into the administration servers and websites by duping the workers in receiving misleading messages. "Taiwan considers China as the main offender for these cyberattacks threats on the island," said Veerle Nouwens, Royal United Services Institute for Defence and Security Studies, UK.

"Taiwanese administration's systems suffer around 30 million cyberattacks every month, and China is responsible for half of it," says the administrator general of Cyber Security Agency, Taiwan. He further adds, "But, no matter where the origin of the attacks happen, building a robust cyber-security system is the first priority for every government and private-sector corporations."

Risks involved- 
The cyber-war exercises were formally started by Raymond Greene, Director, AIT, at a Microsoft event. "It is a start of new opportunities between the two nations in the cybersecurity field," says Raymond regarding the tests. "The concern today is not any physical violence in any country but rather an invasion of cyber-security by corrupt criminals that is capable of stirring the society from the inside." "But in the end, these attacks are a concern for us all in numerous ways." This is a matter of serious concern as the cyberattacks are trying to influence the elections, economy, and infrastructure of the victim country.

China supported website attacks Hong Kong activists : leaking their personal details online!


HK Leaks, a notorious website is targeting Hong Kong pro-democracy supporters, leaking their personal details online and there seems to be no way of catching the site and stopping it.

The website is using a Russian based server and is also supported by China's ruling Communist Party. From Journalists to lawmakers, around 200 individuals, those supporting the protests in Hong Kong have been "doxxed"- had their personal details broadcasted online by the site.

Since June anti-government protests have rocked Hong Kong against proposals to allow extradition to mainland China and clashes between the activists and police have become increasingly violent, with police firing live bullets and protesters attacking officers and throwing petrol bombs. With this new development, of doing activists; the situation shows no sign of dying down.

Privacy Commissioner Stephen Wong said he had ordered HK Leaks to take down all posts but the site remains online. On the home page of the website, a picture of black-clad protester is shown and a banner in Chinese saying, "We want to know who these people are and why they are messing up Hong Kong!". Phone numbers, addresses and personal details of hundreds of people are posted with their "misdeeds". And it is illegal in Hong Kong to disclose certain personal details, including phone numbers, without consent.

HK Leaks has a very sophisticated operation, designed to evade prosecution. It is registered anonymously on a Russian server, DDOS-Guard and has changed domain three times since August.

"The IP address that is shown for the website is not that of the website itself but of the DDOS-Guard company," cybersecurity expert Brian Honan said. The site has a bulletproof anonymous hosting, and whoever is running the website is very good at what they do. It ran as hkleaks.org in early August then migrating to hkleaks.ru, which discontinued in late October and since then three more similar domains have been used by the site.

"This site seems to be really well set up to reveal as little as possible and it doesn't use lots of external services, like buttons, statistics trackers, various scripts that would leak information," said Maarten Schenk, co-founder of the fact-check site Lead Stories.

To extract any details from the domain registrar, a court order would be necessary and the site is heavily supported by the big guns of China with heavy traffic, which is 175,000 unique page views. Chinese Communist Youth League, a group linked to China's Communist Party, has promoted the site's content on its official Weibo accounts. The state-run broadcaster, CCTV and Global Times newspaper, also posted similar messages on their social media accounts.

Some victims also accused the Chinese authorities of involvement behind the leaks, said that the fake address they gave the police during an interrogation showed up on the website HK Leaks.

How China uses LinkedIn to recruit spies


One former senior foreign policy official in the Obama administration received messages from someone on LinkedIn offering to fly him to China and connect him with “well paid” opportunities.

A former Danish Foreign Ministry official got LinkedIn messages from someone appearing to be a woman at a Chinese headhunting firm wanting to meet in Beijing. Three middle-aged men showed up instead and said they could help the former official gain “great access to the Chinese system.”

A former Obama White House official and career diplomat was befriended on LinkedIn by a person who claimed to be a research fellow at the California Institute of Technology, with a profile page showing connections to White House aides and ambassadors. No such fellow exists.

Foreign agents are exploiting social media to try to recruit assets, with LinkedIn as a prime hunting ground, Western counterintelligence officials say. Intelligence agencies in the United States, Britain, Germany and France have issued warnings about foreign agents approaching thousands of users on the site. Chinese spies are the most active, officials say.

“We’ve seen China’s intelligence services doing this on a mass scale,” said William R. Evanina, director of the National Counterintelligence and Security Center, a government agency that tracks foreign spying and alerts companies to possible infiltration. “Instead of dispatching spies to the U.S. to recruit a single target, it’s more efficient to sit behind a computer in China and send out friend requests to thousands of targets using fake profiles.”

The use of social media by Chinese government operatives for what American officials and executives call nefarious purposes has drawn heightened scrutiny in recent weeks. Facebook, Twitter and YouTube said they deleted accounts that had spread disinformation about the Hong Kong pro-democracy protests. Twitter alone said it removed nearly 1,000 accounts.

It was the first time Facebook and Twitter had taken down accounts linked to disinformation from China. Many governments have employed similar playbooks to sow disinformation since Russia used the tactic to great effect in 2015 and 2016.

Indian Healthcare Website Hacked, stolen data for sale





US-based cyber-security firm FireEye discovered a hack into a leading Indian healthcare website, stealing more than 68 lakh data of both doctors and patients.

The FireEye did not name the website but said that the cybercriminals mostly from China are selling the stolen data in web portals around the world.

"In February, a bad actor that goes by the name "fallensky519" stole 6,800,000 records associated with an India-based healthcare website that contains patient information and personally identifiable information (PII), doctor information and PII and credentials," FireEye said in its report shared with IANS.

According to FireEye, in between October 1, 2018, and March 31, 2019, their intelligence team stumbled upon on multiple healthcare-associated databases which were for sale in $2,000.

"In particular, it is likely that an area of unique interest is cancer-related research, reflective of China's growing concern over increasing cancer and mortality rates, and the accompanying national health care costs," the cyber-security agency noted.

"Targetting medical research and data from studies may enable Chinese corporations to bring new drugs to market faster than Western competitors," the report claimed.