X

Hackers in China are part of massive government group, report says

Hacks that were previously thought to be the work of unrelated groups have actually been coordinated by China since at least 2009, according to researchers.

Zoey Chong Reporter
Zoey is CNET's Asia News Reporter based in Singapore. She prefers variety to monotony and owns an Android mobile device, a Windows PC and Apple's MacBook Pro all at the same time. Outside of the office, she can be found binging on Korean variety shows, if not chilling out with a book at a café recommended by a friend.
See full bio
Zoey Chong
2 min read
President Xi Jinping visits birthplace of Chinas Communist Party in Shanghai

Hackers in China haven't been acting on their own, according to 401TRG.

 Artur Widak/NurPhoto via Getty Images

There's a Chinese proverb that roughly translates to "One chopstick is easily broken, but a bundle of chopsticks is unbreakable."

Multiple hacking groups in China previously thought to be individual actors are actually part of a larger, long-running, state-sponsored umbrella group, according to threat research group 401TRG at Denver-based security company ProtectWise.

The larger group, which 401TRG dubbed the Winnti umbrella, is an "advanced and potent threat" with a primary long-term mission that is politically focused, the researchers warn in a report released last week. Winnti refers to a "custom backdoor used by groups under the umbrella," 401TRG said in its report.

Hacking activities are not uncharted waters for China. According to a report earlier this year from security company Recorded Future, the Chinese government lied about belatedly informing the Chinese public of security flaws in order to hide exploits it was likely using in attacks.

The state-sponsored campaigns stretch back to 2009, with some reports of potential activity as far back as 2007, 401TRG said. These include some highly visible operations uncovered by Kaspersky Lab in 2013 and Trend Micro in 2017, as well as attacks targeting journalists reported by the Citizen Lab.

More reads

People working for the umbrella group typically begin by phishing users who may provide a stepping stone to a target network, according to the report. Data is then harvested using malware, though "campaign themes have matured" this year with "code signing certificates and software manipulation" becoming more popular.

"Gaming studios and high tech businesses" in China, Japan, South Korea and US have been the group's initial targets 

While Winnti umbrella attackers usually use their own command-and-control servers to mask their actual location, 401TRG said, they have occasionally made "sloppy" mistakes that provide clues to their Chinese origins. In these cases, they "mistakenly" accessed machines using IP addresses linked to a China Unicom network in the Xicheng District of Beijing.

The group continues to function, the report said.

Watch this: Winter Olympics hit by cyberattack, Verizon to lock phones

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.