skip to Main Content

Cyber Espionage, Fox-IT unveils the APT20 underreported threat

Fox-IT unveils APT20. The group works to support the interests of the Chinese government and is tasked with obtaining information for espionage purposes

Fox-IT unveiled the Chinese base hacking group of APT20, one of the most underreported threat actor that cyber security experts have dealt with over the past two years. They do analyzing “Operation Woocao”, that targeted businesses, governments, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech in 10 countries for years, bypassing two-factor authentication. The group works to support the interests of the Chinese government and is tasked with obtaining information for espionage purposes. The malicious hackers carry out most of their activities on the basis of access through “legitimate” channels. VPN access is an example, and researchers have even seen APT20 abuse 2FA soft tokens. For back-up purposes, they may keep additional access methods in place. They move through the network, directly singling out workstations of employees with privileged access (administrators).

What the cyber security experts found

According to the cyber security experts, on these systems, the contents of passwords vaults (password managers) are directly targeted and retrieved. As much as is possible, APT20 operators remove file system based forensic traces of their activities, making it much harder for investigators to determine what happened after the fact. On the basis of the above, an attacker can efficiently achieve their goal of exfiltrating data, sabotaging systems, maintaining access and jumping to additional targets. Overall the Chinese hackers have been able to stay under the radar even though the tools and techniques they use for their hacking operations are relatively simple and to the point.

The APT20 Initial Access

Fox-IT found that In several cases the initial APT20 access point into a victim network was a vulnerable webserver, often versions of JBoss. Such vulnerable servers were observed to often already be compromised with webshells, placed there by other threat actors. The actor actually leverages these other webshells for reconnaissance and initial lateral movement activity. After this initial reconnaissance the actor uploads one of its own webshells to the webserver. Access as initially obtained to the compromised webserver, for example through the uploaded webshell, is kept by the actor as a precaution in the event of losing the other primary method of persistent access, for example if the credentials for VPN accounts were to be reset. Once an initial foothold is established, the actor moves laterally through the network using well- known and well-documented methods, such as dumping credentials from memory and accessing password managers on compromised systems.

The Cyber Espionage Hackers Lateral Movement and 2FA Abuse

The cyber espionage actor specifically targets systems and people based on their role and associated privilege levels within the organization. This method enables APT20 to persistently and quickly obtain access to highly privileged accounts, such as enterprise and domain administrators. Once obtained, the actor directly shifts their means of persistence. Instead of having to rely on their persistent malicious backdoors as C2 channel, the malicious hackers use the stolen credentials to connect to the victim’s network using the corporate VPN solution. In one case, for VPN persistence, the actor did show evidence of using novel techniques. In this case VPN access to a victim’s network was protected by 2 factor authentication (2FA), which normally protects an asset from simple credential theft. In this case, however, the actor abused this implementation of 2FA control with a technique that, as far as Fox-IT could determine, was developed by the actor themselves. 

Backdoors, Open source tools & Exfiltration

APT20, with access to the victim’s network through legitimate VPN accounts and the stolen credentials to highly privileged accounts in one or multiple domains, then uses a mix of (custom developed) backdoors and open source tools to connect to and through compromised systems. Upon compromising a system, the state-sponsored actor sometimes utilizes a custom reconnaissance script. This collects, among other things, installed software, running processes and open connections. Then after deploying the backdoor, the hackers manually start identifying and collecting information and data on the system. Several custom tools are used to aid in this effort. For example, a tool that outputs a recursive directory listing in a specific format allows the actor to quickly find files and directories of interest. The actor then compresses all the files of interest with WinRAR, sometimes copying or staging them in a temporary directory. These archives are then downloaded using the download functionality of one of their custom backdoor. Finally, the actor securely removes all created executables and files, and the backdoor is closed.

Back To Top