You can’t exactly go about your normal daily activities when you’re sick, and depending on how sick you might be, it may seem to others like you’ve just … disappeared. That’s what happened when State-backed Chinese espionage group APT 41 started their hacking campaign in the early stages of this year, right before COVID-19 resulted in a full-blown quarantine.
APT 41 began 2020 with “one of its largest hacking campaigns,” targeting a wide range of businesses (telecom, manufacturing, healthcare, defense, higher education, pharmaceuticals, banking, media, oil and gas, chemicals and government).
This hacking group “widely believed to be linked to the Chinese government,” uses their campaigns to steal intellectual property and “deploy general espionage and surveillance on target networks.”
Cybersecurity company FireEye discovered APT 41’s campaign beginning in January and lasting through March and called it “one of the broadest campaigns by a Chinese espionage actor we have observed in recent years.” The vulnerabilities they exploited include Citrix Netscaler, Cisco routers and Zoho ManageEngine Desktop Central.
The critical vulnerability at Citrix was discovered in December, and it was not long until APT 41 had taken advantage of the situation.
However, there was a “lull in activity” between January 23rd and February 1st, attributed to the Chinese New Year (these hackers obviously like to party). Another lull was observed between February 2nd and February 19th, a much longer period, and now attributed to the spread of COVID-19 and the lock-down and quarantine regulations placed upon certain Chinese regions.
What can quiet a prolific Chinese cyber-espionage group? New Year’s celebrations, and quarantines.
Fire Eye commented to explain their findings, “We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT 41 may have remained active in other ways, which we were unable to observe with FireEye telemetry.”
Attempts (both successful and unsuccessful) to exploit several other vulnerabilities resumed full force after February 24th, only furthering the assumption that APT 41 resides in Hubei province.
This virus has affected groups throughout the world, good and bad, strong and weak. The lack of activity seen by APT 41 while China’s lock-down was most aggressive serves to remind us that there is a human element behind our technology, and it can be dangerous.
If you need assistance with cybersecurity services contact DarkHound at [email protected].