Chinese embassy in Pyongyang compromised in massive cyberattack

Drumboy44

DEFCON Staff
Staff member
In a major attack against the Chinese government, a hacking group linked to the Korean peninsula gained access to embassy data in the DPRK and more than a dozen other locations around the world, the Beijing-based security firm Qihoo 360 said Monday.According to the company, a group known as DarkHotel compromised more than 200 servers of a domestic VPN provider used by Chinese government

 

Drumboy44

DEFCON Staff
Staff member
What did they get?
While some security researchers have previously linked the DarkHotel group to North Korea, others have suggested the group has ties to South Korea.
Just two weeks ago, the organization was linked to a cyberattack against the World Health Organization (WHO), attempting to steal passwords using malicious emails sent to staff, according to a Reuters report.

Experts at Qihoo 360 described DarkHotel as "an APT gang in the Korean peninsula" that has been operating from East Asia since 2007.

"Its footprints in the cyber realm are all over China, North Korea, Japan, Myanmar, Russia, and other countries," the company explained in the report.
The attack succeeded due to a combination of bad security practices and lack of updates by Chinese VPN provider Sangfor Technologies, which was running software "which is very old and contains a lot of security vulnerabilities," the researchers said.
"At the same time, the operation and maintenance staff of the relevant unit leaked a large amount of sensitive data."

The security experts said employees of the company had disclosed usernames and passwords on publicly-accessible web pages.

"It is precisely because of the security vulnerabilities in the critical infrastructure and the weak security awareness of the relevant personnel that the VPN server is hacked."

Sangfor Technologies responded in a statement on Tuesday that the vulnerabilities in their VPN client had been fixed, promising to release a software tool to help customers identify and remove malicious files installed on their devices.

Security firm Qihoo 360 said the attackers may have tried to take advantage of an increased use of VPNs for sensitive data transfers while Chinese government employees are working from home during the ongoing outbreak of the COVID-19 virus.

The goal may have been to steal medical technology and access information about supplies, logistics, and medical data, the company speculated.
 

Obreid

Power Poster
Additional info on DarkHorse.

They target hotel WiFi users with phishing schemes. They have a pretty nasty reputation is appears.

Also upon little further reading (had to educate myself here a little) an APT is characterized traditionally as a state sponsored hacker group tasked with long-term purposed attacks against industry or nation states.
 

Obreid

Power Poster
Probably not connected but might shed some light on a presidential executive order issued this March against StayNTouch hotel services software company. They provide a software platform to manage all aspects of running a hotel which I would have to assume would include th hotels WiFi service.
They were recently purchased by the Chinese software company Shiji.
The EO ordered the Chinese company and investors to disinvest completely of StayNTouch Inc.

A Chinese company forced to divest from a US hotel management software company due to national security issue via a executive Order.
A Chinese company having access to gov and business travelers WiFi activity even if using a VPN would explain the reason for this EO.
 
Top