An advanced persistent threat (APT) espionage campaign, able to bypass two-factor authentication (2FA), that has ties to the Chinese government has been spying on energy industry businesses among others and governments in 10 countries for two years, researchers said.
Wocao campaign targeted government and managed service providers across a wide variety of industries, said researchers at Fox-IT.
“Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes,” report notes. “With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20.”
Fox-IT said the attacker:
• Carries out most of their activities on the basis of access through “legitimate” channels. VPN access is an example of such a channel, and we have even seen APT20 abuse two-factor authentication soft tokens.
• For back-up purposes, they may keep additional access methods in place.
• They move through the network, directly singling out workstations of employees with privileged access (administrators).
• On these systems, the contents of passwords vaults (password managers) are directly targeted and retrieved.
• As much as is possible, they remove file system based forensic traces of their activities, making it much harder for investigators to determine what happened after the fact.
• On the basis of the above, an attacker can efficiently achieve their goal of exfiltrating data, sabotaging systems, maintaining access and jumping to additional targets.
Overall the actor has been able to stay under the radar even though the tools and techniques they use for their hacking operations are relatively simple.
The attackers were able to bypass two-factor authentication by targeting devices of employees with privileged access to the company’s network, according to the FOX-IT report.
Fox-IT identified victims across the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, United Kingdom and the United States.
The victims include government entities, managed service providers and can be found across a wide variety of industries including:
• Health care
• Offshore engineering
• Payroll and other HR services
• Physical lock manufacturers
• Software development
On these systems, the contents of passwords vaults (password managers) are directly targeted and retrieved, researchers said in the report.
Once the attackers gained persistence by compromising the VPN credentials, they bypassed 2FA, researchers said.
Fox-IT researchers said this was likely achieved by stealing an RSA SecureID token, which was then used to generate valid one-time codes in the attacker’s systems to bypass the 2FA.
“In short, all the actor has to do to make use of the 2-factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens,” the report said.
After bypassing the authentication, the attackers then proceeded to perform privilege escalation and gain lateral movement, then collect and exfiltrate data and communicate with the command and control, the researchers say.
While performing these activities, the threat actors removed files that could trace their activities, thus making the detection of the group’s activity hard, according to the research report.