A major Chinese cyberattack on American companies screeched to a halt during China's coronavirus lockdown, apparently because the state-sponsored hackers couldn't work from home

Advertisement
A major Chinese cyberattack on American companies screeched to a halt during China's coronavirus lockdown, apparently because the state-sponsored hackers couldn't work from home
hacker
  • Research from FireEye shows that a formidable group of Chinese state-sponsored hackers laid the groundwork for a major corporate hacking attempt on February 1st - and then nothing happened.
  • The corporate hack that could represent a historic resumption of aggressive corporate espionage between the economic superpowers was completely put on hold - as China rolled out coronavirus shelter-in-place rules.
  • The apparent issue: the hackers are technically contractors with the Chinese government, meaning that they couldn't take their work home with them.
  • The report also finds that this group of young hackers, known as Double Dragon, is allowed to hack for personal gain on their downtime: Records indicate that one of the hackers breaks into gaming systems at night using government hacking tools.
  • Visit Business Insider's homepage for more stories.

On February 1st, the formidable APT41 group of Chinese hackers, also known as Double Dragon, logged into a server connected to American companies and set up a "backdoor" that could be used later in what experts say is one of the broadest corporate hacking attempts in years.

Advertisement

And then... nothing happened. For more than two weeks.

The corporate hack that could represent a historic resumption of aggressive corporate espionage between the economic superpowers was completely put on hold - as China rolled out coronavirus shelter-in-place rules.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

"We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10," the Silicon Valley cybersecurity company FireEye says in a report on the hacking that gives a fascinating view of the state-sponsored hackers.

"This reduction in activity might be related to the COVID-19 quarantine measures in China," FireEye wrote.

Advertisement

While millions of Chinese have worked from home for the first time during the coronavirus pandemic, that apparently does not apply to the state-sponsored hacking contractors behind the biggest corporate hacking attempt in years, which picked up where it left off on February 20, according to FireEye.

The savvy young contractors appear to have an agreement with the government that allows them to hack for China and then continue to use government-sponsored tools to hack for personal gain. "Skilled actors opt to work for private sector entities that have government contracts because of better pay," FireEye says.

"APT41's use of the same malware in both financial- and espionage-related operations could support their status as contractors; state employees are less likely to use such tools for personal financial gain over multiple years given the potential for greater scrutiny or punishment."

But that contractor status may also make it hard for a young hacker to bring state-owned hacking tools home with him for a few weeks.

One of those hackers, named as Zhang Xuguang, performs intricate hacking work on gaming systems as a side hustle, FireEye says. He was also quite young when he got started in the pro hacking underground.

Advertisement

"Zhang's profile indicated he was 16, going on 17, and he was applying to be the administrator of a script hacking forum," FireEye writes in a 68-page report titled "Double Dragon - APT41, a dual espionage and cyber crime operation."

Another member of the group, who hacks under the name Wolfzhi, is portrayed as an urban techie from Beijing or the surrounding province with a specialization in data science.

The hackers also take a long annual vacation around January's lunar new year celebrations in China, notes Christopher Glyer, FireEye's chief security architect, who has tracked the group for years.

"They're people, too," he says.

{{}}