Spike in Chinese digital espionage


A US cybersecurity firm detected a surge in cyber spying by a suspected Chinese group dating back to January, when coronavirus starting spreading outside China.

FireEye said in a report it spotted a spike in activity from a hacking group it dubs “APT41” that began on January 20 and targeted at least 75 customers, from manufacturers and media companies to healthcare organisations and non-profits.

There were “multiple possible explanations” for the spike, said FireEye Security architect Christopher Glyer, pointing to tensions between Washington and Beijing over trade and recent clashes over the coronavirus outbreak, which killed more than 17000 people to date.

The report said it was “one of the broadest campaigns by a Chinese cyber espionage actor we observed in recent years.”

FireEye declined to identify affected customers. The Chinese Foreign Ministry did not address FireEye’s allegations saying in a statement China was “a victim of cybercrime and cyberattack.” The US Office of the Director of National Intelligence declined comment.

FireEye said in its report APT41 abused recently disclosed flaws in software developed by Cisco, Citrix and others to break into company networks in the US, Canada, Britain, Mexico, Saudi Arabia, Singapore and a dozen others.

Cisco said in an email it fixed the vulnerability and was aware of attempts to exploit it, a sentiment echoed by Citrix, which worked with FireEye to identify “potential compromises.”

Others also spotted a recent uptick in cyber-espionage activity linked to Beijing.

Matt Webster, a researcher with Secureworks – Dell Technologies’ cybersecurity arm – said in an email his team also saw evidence of increased activity from Chinese hacking groups “over the last few weeks.”

In particular, he said his team recently spotted new digital infrastructure associated with APT41 – which Secureworks dubs “Bronze Atlas.”

Tying hacking campaigns to a specific country or entity is fraught with uncertainty, but FireEye said it assessed “with moderate confidence” APT41 was composed of Chinese government contractors.

FireEye’s head of analysis, John Hultquist, said the surge was surprising because hacking activity attributed to China is generally more focused.

“This broad action is a departure from that norm,” he said.