Chinese Hackers

[kyonides]

HACKERS TARGETED DIPLOMATS IN ASIA

Google Accuses China-Linked Hackers of Targeting Diplomats in Asia

The Google Threat Intelligence Group (GTIG) reported on Monday that a “complex, multifaceted campaign” by hackers linked to the Chinese government is targeting “diplomats in Southeast Asia and other entities globally.”

“GTIG assesses this was likely in support of cyber espionage operations aligned with the strategic interests of the People’s Republic of China (PRC),” the report said.

The cyber espionage campaign involved a “captive portal redirect,” which infected the targeted computer systems with a “digitally signed downloader.” The downloader, in turn, installed a spyware program on the victimized computer systems.

In other words, the hackers allegedly tricked their victims into accessing hijacked websites that infected them with a two-stage malware attack. The first stage was a seemingly legitimate download plugin for their browsers, which proceeded to pull a backdoor virus called SOGU.SEC into their computers. Users thought they were downloading innocuous software updates, but they were really getting a virus.

GTIG uncovered the scheme by noticing “redirect chains” leading from legitimate domains to highly suspicious websites controlled by hackers. The one missing piece of the puzzle was the initial attack that forced the targeted WiFi routers to bounce to the hackers’ website. Google’s security technicians were unable to observe this first step in the process when they began investigating the cyber espionage campaign in March 2025.

GTIC identified a “PRC-nexus threat actor” called UNC6384 as the culprit. Some of the web pages involved in the espionage scheme are known to be controlled by this group. Also, the highly sophisticated code that fooled victims’ computers into installing the malware by abusing legitimate functions of Microsoft Windows and cleverly concealing security violations has been employed in previous UNC6384 attacks.

“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors,” GTIG concluded.

Senior Google security engineer Patrick Whitsell told Bloomberg News on Monday that “about two dozen victims” were infected by the malware, most of them diplomats working in Southeast Asia.

Whitsell did not disclose the nationalities of the targeted diplomats, but his team was highly confident that the hackers were “China-aligned” – either working “inside the government” or as “outside contractors.”

“I would assume diplomats have pretty sensitive documents on their laptops that they’re using for their day-to-day work. And yeah, once you’re on that device, you can get those documents,” he said.

The “UNC” prefix denotes a threat actor that has not been precisely identified yet. UNC6384 has certain similarities in tactics and preferred software tools to a Chinese hacker gang called “Mustang Panda,” which works under a number of aliases, including “TEMP.hex,” “Bronze President,” “Camaro Dragon,” ”and “Red Lich.”

The malware payload delivered in the second stage of the attack on diplomats in Southeast Asia was first detected by cybersecurity analysts in 2008. Increasingly sophisticated versions of this virus have long been popular with Chinese hacking groups.

Another clue to the identity of the culprits is that the downloader used in the first stage of the attack was digitally signed by a Chinese company called Chengdu Nuoxin Times Technology Co. Ltd. Digital signatures prompt computer systems to treat a software package as safe and legitimate.

At least 25 instances of malware signed by Chengdu Nuoxin have been discovered by GTIG over the past two years, most of them deployed by hackers linked to the Chinese government. GTIG investigated two previous large-scale cyber espionage campaigns that employed malware signed by the same company, with enough similarities to the diplomat attack to suggest they might have been carried out by the same threat actor, UNC6384.

“It remains an open question how the threat actors are obtaining these certificates,” GTIG noted. “The Subscriber organization may be a victim with compromised code signing material. However, they may also be a willing participant or front company facilitating cyber espionage operations.”

HACKERS FAKED EMAILS FROM TOP REPUBLICAN

Report: Chinese Hackers Faked Emails from Top Republican

The FBI and Capitol Police are reportedly investigating a string of fake emails sent to House staffers by Chinese hackers masquerading as Rep. John Moolenaar (R-MI), chairman of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party.

According to a report from the Wall Street Journal (WSJ) on Sunday, the emails were sent to staffers on Moolenaar’s committee, plus members of “several trade groups, law firms and U.S. government agencies” in July, when trade talks between the U.S. and China were ramping up.

The email included a draft copy of legislation for sanctions against China, and solicited “insights” from recipients about the bill.

The FBI and Capitol Police were brought in when some of the recipients noticed the message came from a mysterious non-governmental email address. Forensic technicians quickly discovered the emails were laced with spyware code, which was traced to a notorious threat actor known to cybersecurity experts as APT41.

APT41 – also known as “Double Dragon,” “Wicked Panda,” “Bronze Atlas,” “Barium,” and a number of other aliases, some of which could belong to associated groups – is a very active, highly sophisticated hacking team linked to the Chinese Ministry of State Security (MSS). Several leading members of the group are wanted by the FBI.

The hackers of APT41 split their time between harvesting information that would be useful to the Chinese government, and committing financial crimes to enrich themselves, frequently targeting the video game industry. This leads cybersecurity analysts to believe the group is a “contractor,” hired and paid by the MSS to conduct espionage campaigns for the benefit of the Chinese government.

APT41 is noted for employing a large and sophisticated arsenal of malware programs against its victims. The group prefers to deploy its malware with “spear phishing” attacks, which involve sending realistic-looking messages from people known to the victims, just as with the fake emails from Moolenaar. The unsuspecting victims, believing the emails to be legitimate, click on links or download files attached to the messages, and their systems become infected with malware.

In this case, the attached copy of the draft legislation contained a viral payload. Cybersecurity analysts said the hackers would have been able to penetrate the system of any victim who downloaded the document, as directed by the fake email.

“The hacking campaign appeared to be aimed at giving Chinese officials an inside look at the recommendations Trump was receiving from outside groups. It couldn’t be determined whether the attackers had successfully breached any of the targets,” the WSJ reported.

The report said it was “particularly galling” for Chinese hackers to use Moolenaar’s name in their fake emails, because the congressman is a “harsh critic of Beijing.”

HACKERS MIGHT HAVE STOLEN DATA FROM ALMOST EVERY AMERICAN AND SOME CANADIANS AS WELL

‘Unrestrained’ Chinese Cyberattackers May Have Stolen Data From Almost Every American

Information collected during the yearslong  Salt Typhoon attack could allow Beijing’s intelligence services to track targets from the United States and dozens of other countries.

China has hacked into American power grids and companies for decades, stealing sensitive files and intellectual property such as chip designs as it seeks to gain an edge over the United States.

But a sweeping cyberattack by a group known as Salt Typhoon is China’s most ambitious yet, experts and officials have concluded after a year of investigating it. It targeted more than 80 countries and may have stolen information from nearly every American, officials said. They see it as evidence that China’s capabilities rival those of the United States and its allies.

The Salt Typhoon attack was a yearslong, coordinated assault that infiltrated major telecommunications companies and others, investigators said in a highly unusual joint statement last week. The range of the attack was far greater than originally understood, and security officials warned that the stolen data could allow Chinese intelligence services to exploit global communication networks to track targets including politicians, spies and activists.

Hackers sponsored by the Chinese government “are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks,” the statement said.

British and American officials have described the attack as “unrestrained” and “indiscriminate.” Canada, Finland, Germany, Italy, Japan and Spain were also signatories to the statement, which was part of a name-and-shame effort directed at the Chinese government.

“I can’t imagine any American was spared given the breadth of the campaign,” said Cynthia Kaiser, a former top official in the F.B.I.’s cyber division, who oversaw investigations into the hacking.

It was unclear whether the Salt Typhoon hack was intended to store ordinary people’s data or if that data was incidentally swept up in the attack. But its scope was broader than previous hacks, in which China more narrowly targeted Westerners working on security or other sensitive government issues, Ms. Kaiser said.

The Salt Typhoon hack could signal a new era of Chinese cyber capabilities that will test its strategic rivals, including the United States, security experts said. It highlights China’s ambitions for global influence, which were on display on Wednesday at an elaborate military parade in Beijing that featured fighter jets, tanks and thousands of troops marching across Tiananmen Square.

“In many ways, Salt Typhoon marks a new chapter,” said Jennifer Ewbank, the former C.I.A. deputy director for digital innovation. A decade ago, she noted, Western allies worried about China’s thefts of trade secrets, personal information and government data, which used more rudimentary techniques.

“Today, we see patient, state-backed campaigns burrowed deep into the infrastructure of more than 80 countries, characterized by a high level of technical sophistication, patience and persistence,” she added.

The Chinese Embassy in London did not respond to a message seeking comment.

The statement from Western allies gave the fullest accounting yet of what the F.B.I. has called China’s “cyberespionage campaign.”

Investigators linked the Salt Typhoon attack to at least three China-based technology companies that have been operating since at least 2019, but the operation was uncovered only last year. The joint statement said the companies worked for China’s military and civilian intelligence agencies, which carry out foreign operations.

The hackers’ goal was to give Chinese officials the “capability to identify and track their targets’ communications and movements around the world,” the statement said. Among the targets were phones used by prominent politicians, including President Trump and Vice President JD Vance, during their campaign last year. The effort also took aim at Democrats.

The attackers stole data from telecommunications and internet service companies, penetrating more than a half dozen U.S. telecommunications companies alone. The hackers exploited old vulnerabilities in the networks, the British authorities said. They also hacked into lodging and transportation companies, among other targets.

The hackers were able to listen in on telephone conversations and read unencrypted text messages, Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, has said.

The attack built on China’s earlier hacks, said Jamie MacColl, a senior research fellow in cybersecurity at Royal United Services Institute, an analytical group affiliated with the British military. For years, China has collected large data sets, Mr. MacColl said, intending to one day exploit that information.

“If you’re a cyber power, then it makes sense you would want to compromise the global communications network,” he said.

Chinese operators previously targeted American companies such as Marriott International, health insurers and the U.S. Office of Personnel Management, which keeps government security clearance files. In 2021, the Biden administration accused the Chinese government of breaching widely used Microsoft email systems.

Russian state-sponsored hackers have also carried out successful breaches. The U.S. and British governments and their closest allies also have vast spying capabilities. It is not clear how Western countries responded to Salt Typhoon.

The operation was “more than a one-off intelligence success for China,” Anne Neuberger, a Biden administration cybersecurity official, wrote recently in Foreign Affairs magazine.

“It reflected a deeper, troubling reality,” she wrote, adding, “China is positioning itself to dominate the digital battle space.”

Here's another article on what happened to Canada during this Chinese hacking campaign.

China-backed hackers 'almost certainly' targeted Canada during theft of millions of Americans' data

CSE confirms Canadian telecom targeted, won't detail extent of attack

A Chinese hacking group that may have stolen information from nearly every American "almost certainly" targeted a Canadian telecommunications company as well, according to a warning from Canada's cyber intelligence agency.

The prowess of the Beijing-backed group often referred to as Salt Typhoon is back in the news after more than a dozen international government agencies issued a joint statement warning of a "deliberate and sustained campaign."

The U.S.-led statement was co-signed by international intelligence agencies, including from the United States, Australia and Canada's Communications Security Establishment (CSE).

The joint advisory found that Salt Typhoon targeted "telecommunications, government, transportation, lodging and military infrastructure networks."

The statement, released late last week, said the stolen data "ultimately can provide Chinese intelligence services with the capability to identify and track their targets' communications and movements around the world."

Cynthia Kaiser, a former senior official with the Federal Bureau of Investigation (FBI) who oversaw investigations into the hacking, told The New York Times she "can't imagine any American was spared given the breadth of the campaign."

While some of Salt Typhoon's operations have previously been reported, the joint statement suggests the scope and persistence of the attacks are larger than originally thought.

Late last year, U.S. agencies reported that Salt Typhoon had compromised multiple telecommunications networks as part of an espionage campaign. U.S. media reported the devices used by since re-elected U.S. President Donald Trump and his then running mate, JD Vance, were targeted in the hack.

Now the FBI says the group "recklessly stole personal data belonging to millions of Americans, and in some instances surveilled communications — all in support of the Chinese Communist Party."

The bureau said in a statement last week that "the expectation of privacy was violated not just in the United States but abused globally."

LONG RECOVERY PROCESS AFTER CHINESE SPIES HAD ACCESSED PRIVATE DETAILS OF 40 MILLION BRITISH VOTERS

It's taken three years to recover from China hack, election watchdog says

The UK's elections watchdog says it's taken three years and at least a quarter of a million pounds to fully recover from a hack that saw the private details of 40m voters accessed by Chinese cyber spies.

Last year, the Electoral Commission was publicly reprimanded for a litany of security failures that allowed hacking groups to spy undetected, after breaking into databases and email systems.

In the first interview about the hack, the commission's new boss admits huge mistakes were made, but says the organisation is now secure.

"The whole thing was an enormous shock and basically it's taken us quite a few years to recover from it," says chief executive Vijay Rangarajan.

"The culture here has changed significantly now partly as a result of this. It's a very painful way to learn."

The Electoral Commission oversees elections and regulates political finance in the UK to ensure the integrity of the democratic process.

Mr Rangarajan was not CEO when the hack happened but says that colleagues described the chaos of discovering the hackers as "feeling like you'd been burgled whilst still inside the house".

The hackers first breach was in August 2021, using a security flaw in a popular software programme called Microsoft Exchange. The digital hole was being exploited by suspected Chinese spies around the world and organisations were being warned to download a software patch to protect themselves. Despite months of warnings, the commission failed to do so.

Hackers had access to the full open electoral register containing the names and addresses of all 40m UK voters.

They could also read every email sent and received at the commission.

The criminals weren't found until October 2022 during a password system upgrade.

Cyber security failures

Not keeping software up to date was one of several basic security mistakes made including having bad password practices, failing a basic government-run security audit and ignoring advice from the National Cyber Security Centre.

The Information Commissioner's office issued a formal reprimand to the Electoral Commission but if equivalent mistakes were made in a private sector breach it would likely have led to a large fine.

Mr Rangarajan says that as well as the reprimand, stakeholders including in parliament were shocked by the complacency and asked "what were you doing?"

No individual person has been publicly reprimanded for the security lapses.

There were six by-elections during the period that hackers were inside the commission's IT networks but there is no evidence that anything was affected by it.

However the commission says it still doesn't know what the hackers were doing or what information they may have downloaded.

Mr Rangarajan admits that the hackers could have caused major disruption if they have installed malicious software or hampered communications during an election.

"All of this could have caused us amazing problems. It was a dangerous thing to have happened," he said.

Chinese spies were blamed for the attack and received sanctions from British and US authorities. China has always denied any involvement.

Mr Rangarajan said staff at the time didn't seem to think the commission would be targeted by hackers. This was despite high profile elections interference cases like the 2016 US presidential election hack of Hilary Clinton's emails.

"I don't think everyone realised quite how much democratic systems and electoral systems were targets. We tended to be quite comfortable in the way we runs things. We now have to be really up to speed with the threats," he said.

The Electoral Commission was given grants of more then £250,000 to recover from the breach and now says it is spending significantly more of its budget on cyber security.

It has now passed the National Cyber Security Centre's Cyber Essentials certification – the audit that an insider told the BBC it had failed in the build up to the hack. It has also achieved Cyber Essentials Plus – the highest level of certification from the scheme.