DarkHotel hackers use VPN zero-day to breach Chinese government agencies

Targets included government agencies in Beijing and Shanghai and Chinese diplomatic missions abroad.
Written by Catalin Cimpanu, Contributor
Image: Qihoo 360, ZDNet

Foreign state-sponsored hackers have launched a massive hacking operation aimed at Chinese government agencies and their employees.

Also: The best VPNs in 2020

Attacks began last month, in March, and are believed to be related to the current coronavirus (COVID-19) outbreak.

Chinese security-firm Qihoo 360, which detected the intrusions, said the hackers used a zero-day vulnerability in Sangfor SSL VPN servers, used to provide remote access to enterprise and government networks.

Qihoo said it discovered more than 200 VPN servers that have been hacked in this campaign. The security firm said that 174 of these servers were located on the networks of government agencies in Beijing and Shanghai, and the networks of Chinese diplomatic missions operating abroad, in countries such as:

  • Italy
  • United Kingdom
  • Pakistan
  • Kyrgyzstan
  • Indonesia
  • Thailand
  • UAE
  • Armenia
  • North Korea
  • Israel
  • Vietnam
  • Turkey
  • Malaysia
  • Iran
  • Ethiopia
  • Tajikistan
  • Afghanistan
  • Saudi Arabia
  • India

In a report published today, Qihoo researchers said the entire attack chain was sophisticated and very clever. Hackers used the zero-day to gain control over Sangfor VPN servers, where they replaced a file named SangforUD.exe with a boobytrapped version.

This file is an update for the Sangfor VPN desktop app, which employees install on their computers to connect to Sangfor VPN servers (and inherently to their work networks).

Qihoo researchers said that when workers connected to hacked Sangfor VPN servers, they were provided with an automatic update for their desktop client, but received the boobytrapped SangforUD.exe file, which later installed a backdoor trojan on their devices.

DarkHotel hackers have been going after COVID-19 targets

The Chinese security firm said it tracked the attacks to a hacker group known as DarkHotel. The group is believed to operate out of the Korean peninsula, although it is yet unknown if they are based in North or South Korea.

The group, which has been operating since 2007, is considered one of today's most sophisticated state-sponsored hacking operations.

In a report published last month, Google said that DarkHotel used a whopping five zero-day vulnerabilities last year, in 2019, more than any other nation-state hacking operation.

Despite being only April, the Sangfor VPN zero-day is the third zero-day DarkHotel has deployed in 2020.

Earlier this year, the group has also been seen using zero-days for the Firefox and Internet Explorer browsers to target government entities in China and Japan.

Qihoo researchers said the recent attacks against Chinese government agencies could be related to the current coronavirus (COVID-19) outbreak. The Chinese security firm said it believes DarkHotel is trying to get insights into how the Chinese government handled the outbreak.

The attacks on Chinese government entities appear to fit a pattern. Two weeks ago, Reuters reported a DarkHotel attack against the World Health Organization, the international body coordinating the global response to the current COVID-19 pandemic.

Patches are already available

Qihoo said it reported the zero-day vulnerability to Sangfor last Friday, on April 3.

When ZDNet reached out for a statement earlier today, the Shenzen-based vendor didn't want to comment on the attacks, targets, or hackers, and instead redirected us to a WeChat post it published earlier in the day.

On WeChat, the vendor said that only Sangfor VPN servers running firmware versions M6.3R1 and M6.1 were vulnerable and have been confirmed to have been compromised using the zero-day used by DarkHotel

Sangfor said that patches would be coming today and tomorrow -- today for the current version of its SSL VPN server, and tomorrow for the older versions.

The company also plans to release a script to detect if hackers have compromised VPN servers, and a second tool to removes files deployed by DarkHotel.

Sangfor customers can find additional details in the company's WeChat post and its SRC-2020-281 security advisory (non-public).

The world's most famous and dangerous APT (state-developed) malware

Editorial standards