CNET también está disponible en español.

Ir a español

Don't show this again

Security

Hackers in China are part of massive government group, report says

Hacks that were previously thought to be the work of unrelated groups have actually been coordinated by China since at least 2009, according to researchers.

President Xi Jinping visits birthplace of Chinas Communist Party in Shanghai

Hackers in China haven't been acting on their own, according to 401TRG.

Artur Widak/NurPhoto via Getty Images

There's a Chinese proverb that roughly translates to "One chopstick is easily broken, but a bundle of chopsticks is unbreakable."

Multiple hacking groups in China previously thought to be individual actors are actually part of a larger, long-running, state-sponsored umbrella group, according to threat research group 401TRG at Denver-based security company ProtectWise.

The larger group, which 401TRG dubbed the Winnti umbrella, is an "advanced and potent threat" with a primary long-term mission that is politically focused, the researchers warn in a report released last week. Winnti refers to a "custom backdoor used by groups under the umbrella," 401TRG said in its report.

Hacking activities are not uncharted waters for China. According to a report earlier this year from security company Recorded Future, the Chinese government lied about belatedly informing the Chinese public of security flaws in order to hide exploits it was likely using in attacks.

The state-sponsored campaigns stretch back to 2009, with some reports of potential activity as far back as 2007, 401TRG said. These include some highly visible operations uncovered by Kaspersky Lab in 2013 and Trend Micro in 2017, as well as attacks targeting journalists reported by the Citizen Lab.

People working for the umbrella group typically begin by phishing users who may provide a stepping stone to a target network, according to the report. Data is then harvested using malware, though "campaign themes have matured" this year with "code signing certificates and software manipulation" becoming more popular.

"Gaming studios and high tech businesses" in China, Japan, South Korea and US have been the group's initial targets 

While Winnti umbrella attackers usually use their own command-and-control servers to mask their actual location, 401TRG said, they have occasionally made "sloppy" mistakes that provide clues to their Chinese origins. In these cases, they "mistakenly" accessed machines using IP addresses linked to a China Unicom network in the Xicheng District of Beijing.

The group continues to function, the report said.

Now playing: Watch this: Winter Olympics hit by cyberattack, Verizon to lock phones
1:26

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.