Apt20 Chinese 2facimpanuzdnet: The intelligence agency Mandiant has released their latest report on APT20, codenamed “Iron Tiger”. Mandiant warned that the group is likely sponsored by the Chinese government and has launched a series of attacks in recent months.
Mandiant says APT20’s hacking team generated APT traffic like it is coming from a proxy. The hackers tricked targeted organizations into routing traffic to servers they control, allowing them to capture sensitive data and secretly bypass two-factor authentication protections.
Mandiant says that APT20’s activities have led to the compromise of dozens of government-related organizations, including large US government contractors, defense organizations, and universities.
The group has launched attacks on some customers in the US as well. In fact, APT20 is believed to have been behind a phishing campaign that resulted in the compromise of a Verizon executive. The group also hacked into RSA, something Mandiant believes was done via spear phishing attacks.
The latest Mandiant report comes just a few weeks after the security firm disclosed an APT3 hacking campaign that targeted organizations in the US, Taiwan, Japan and China.
Mandiant says the majority of attacks launched by both APT3 and APT20 were conducted using custom malware developed in-house by these cyber spying groups. The researchers speculate one of the main reasons why both groups are able to keep developing new exploits is because they work for organizations with access to a great deal of intellectual property .
Mandiant also discovered two instances of APT20 using a platform designed to bypass two-factor authentication protections.
The first instance dates back to March 2013, when Mandiant observed a hacker using a ProxySQL server to intercept requests and inject malicious data in responses. The hacker was targeting the webmail interface of a managed service provider (MSP) and had managed to configure an authentication server to relay credentials back to proxySQL on behalf of the victim.
The second instance was observed in May 2013, and Mandiant says the hacker had set up a file sharing server to relay credentials back to a proxySQL server. In this case, the proxySQL server was configured to capture victim’s credentials and forward them to other domains controlled by the hacker.
Mandiant reports that APT20’s targets are almost exclusively government related. It appears at least some of these targets are targets of interest to the US government as well.
The unusual nature of many of APT20’s targets, as well as the sophistication of the group’s hacking techniques, suggests that APT20 is sponsored by a government. In fact, the group is believed to be affiliated with the Chinese government. Mandiant has no evidence that either APT20 or APT3 are selling intelligence to other governments. However, they assume these groups are being used by the Chinese government to conduct espionage against US organizations of interest.
The latest report is just the tip of the iceberg. The real question is: who are these hackers really working for? Are they simply skilled hackers that are using their skills for financial gain, or are they doing it as part of a government sponsored project?
EDITOR’S NOTE : This report originally stated that APT20 was believed to be sponsored by the People’s Liberation Army, but Mandiant clarified that it had no evidence of this. Mandiant also said it had no evidence APT3 is selling intelligence to other countries, something the initial report speculated about. We apologize for our error.