The DarkHotel hacker group exploited a zero-day vulnerability to hijack more than 200 VPN servers used by Chinese government agencies and diplomatic missions worldwide and deploy malware in devices connected to such servers.
Qihoo 360, a Chinese cyber security firm, recently discovered that since March, more than 200 servers were hacked into by the hacker group. Researchers at the firm have confirmed that 174 of these servers were used by government agencies based in Beijing and Shanghai and the remaining were installed in the networks of Chinese diplomatic missions operating abroad.
In their report, researchers at Qihoo said that the cyber attack was ‘sophisticated’ in nature and the attackers “designed the backdoor control method and executed the code by completely issuing shellcode from the Cloud. The entire attack process is very complicated and concealed.”
According to the firm, DarkHotel hackers exploited a security vulnerability and gained control over Sangfor VPN servers and replaced a file named SangforUD.exe with a boobytrapped version. When employees connected to the hacked Sangfor VPN servers, their desktop client was automatically updated and received the boobytrapped SangforUD.exe file. This later installed a backdoor trojan on their devices.
“360 Security Brain captured the Darkhotel (APT-C-06) of the Peninsula APT organization, hijacked the Sangfor VPN security service and issued malicious files, targeting Chinese agencies abroad and relevant government units to launch targeted attacks. As of now, a large number of VPN users have been recruited by the attacked unit,” the firm said.
DarkHotel hackers exploiting zero-day flaws to target Chinese agencies since 2007
It added that DarkHotel, commonly known as “Black Shop” in Chinese, is an APT organisation with East Asian background and has been known to conduct cyber espionage attacks against corporate executives, government agencies, defense industry, electronics industry, and other important institutions in China. The hacker group began operating in 2007 and has since targeted organisations in China, North Korea, Japan, Myanmar, Russia and other countries.
Qihoo 360 alleged that DarkHotel had previously conducted a cyber-attack on China’s business-related government agencies by exploiting the “Double Star” zero-day vulnerability in Firefox to target Windows 7 systems that were no longer supported by Microsoft.
In March, the hacker group was also suspected of being behind a cyber attack on the World Health Organisation’s IT system to steal email credentials when the organisation was busy with handling the COVID-19 outbreak.
WHO’s CISO Flavio Aggio told Reuters that the site that the hackers used was in an attempt to steal passwords of employees. “There has been a big increase in targeting of the WHO and other cybersecurity incidents. There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled,” he said.
Commenting on the news, Richard Bejtlich, principal security strategist at Corelight told TEISS that “if we accept that Qihoo has correctly attributed this activity to Dark Hotel, and that Dark Hotel is a North Korean actor, this report presents a few interesting findings.
“First, it is surprisingly risky for a North Korean actor to target assets in an allied country, especially one that provides financial and other critical support. Second, Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government, so the PRC might be signalling its disapproval to the DPRK. Third, a combined approach that integrates server-side and client-side techniques, at the scale indicated by Qihoo, is a sign that the DPRK has improved its offensive asset management capabilities.” He added.