Skip to main content

State-sponsored Chinese cybercriminals launch global intrusion campaign

(Image credit: Image source: Shutterstock/lolloj)

Cybersecurity researchers at FireEye have reported “one of the broadest campaigns by a Chinese cyber-espionage actor” in years. According to the security firm, state-sponsored cybercriminal syndicate APT41 is behind the campaign, which was first spotted two months ago.

Analysing the threats faced by its clients, FireEye claims APT41’s activity has narrowed in scope over the past couple of years. However, this new campaign moves in a different direction, targeting at least 20 sectors in as many different countries.

The sectors in the group's crosshairs include government, media, higher education, healthcare, banking and telecommunications operators, while the UK, US, France, Japan, Saudi Arabia, Singapore, Sweden the UAE were among the countries targeted.

The attack appears to leverage vulnerabilities found in Citrix NetScaler/ADC, Cisco routers and Zoho’s ManageEngine Desktop Central software.

“It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organisations to target, but the victims appear to be more targeted in nature,” said FireEye in a blog.

The group's activities halted completely between February 2 - 19, potentially as a result of the coronavirus outbreak.

“China initiated Covid-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10,” FireEye noted.

“While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry.”