Hackers in China are part of massive government group, report says


Hacks that were previously thought to be the work of unrelated groups have actually been coordinated by China since at least 2009, according to researchers.

There’s a Chinese proverb that roughly translates to “One chopstick is easily broken, but a bundle of chopsticks is unbreakable.”

Multiple hacking groups in China previously thought to be individual actors are actually part of a larger, long-running, state-sponsored umbrella group, according to threat research group 401TRG at Denver-based security company ProtectWise.

The larger group, which 401TRG dubbed the Winnti umbrella, is an “advanced and potent threat” with a primary long-term mission that is politically focused, the researchers warn in a report released last week. Winnti refers to a “custom backdoor used by groups under the umbrella,” 401TRG said in its report.

Hacking activities are not uncharted waters for China. According to a report earlier this year from security company Recorded Future, the Chinese government lied about belatedly informing the Chinese public of security flaws in order to hide exploits it was likely using in attacks.

The state-sponsored campaigns stretch back to 2009, with some reports of potential activity as far back as 2007, 401TRG said. These include some highly visible operations uncovered by Kaspersky Lab in 2013 and Trend Micro in 2017, as well as attacks targeting journalists reported by the Citizen Lab.

People working for the umbrella group typically begin by phishing users who may provide a stepping stone to a target network, according to the report. Data is then harvested using malware, though “campaign themes have matured” this year with “code signing certificates and software manipulation” becoming more popular.

“Gaming studios and high tech businesses” in China, Japan, South Korea and US have been the group’s initial targets

While Winnti umbrella attackers usually use their own command-and-control servers to mask their actual location, 401TRG said, they have occasionally made “sloppy” mistakes that provide clues to their Chinese origins. In these cases, they “mistakenly” accessed machines using IP addresses linked to a China Unicom network in the Xicheng District of Beijing.

The group continues to function, the report said.

By Zoey Chong


Please enter your comment!
Please enter your name here