Operation Wocao : Shining a Light on One of China’s Hidden Hacking Groups


Operation Wocao : Shining a Light on One of China’s Hidden Hacking Groups (Dec 19, 2019)

Fox-IT have released a report detailing the activities of publically reported Advanced Persistent Threat (APT) group “APT20”. Fox-IT has high confidence that the actor is a Chinese group working on behalf of the Chinese government for espionage purposes. Victims were found in over 10 countries and included governments, managed service providers (MSPs), energy, healthcare and high-tech. The activity shows that the actors operated mostly through legitimate channels, VPN access and singled out workstations of employees with privileged access. They stole password vaults and sometimes maintained several access methods for back up. APT20 is using simple but efficient and effective methods.

Recommendation: This APT is using legitimate methods to access networks and steal information. Campaigns like this are difficult to detect because they may not be using any malware to achieve their hands-on-objectives. Organisations can use behavioural monitoring capabilities to better detect anomalous behaviour if a malicious actor is using legitimate accounts. Behavioural monitoring capabilities include detecting when files and data are accessed that are outside the normal working hours or job specification of the account holder. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.