In its post, Qihoo claimed that malicious files were being delivered to Chinese organisations abroad through hijacked SangFor VPN server installations. It named the advanced persistent threat group behind the attacks as Darkhotel aka APT-C-06, adding that it was based on the Korean Peninsula.
The Qihoo researchers pointed out that the alleged attacks had come at a time when there was a massive increase in VPN use because of the coronavirus pandemic, with the obvious inference being that the raids had been staged to affect Chinese companies as they were slowly trying to resume work after a lockdown.
"As we already know, the core of remote telecommuting is VPN. This also means that once the VPN vulnerability is exploited by a hacker, the whole unit using VPN for remote working is undoubtedly exposed to predictable risks," the Qihoo researchers claimed.
"[There is] no evidence this was actually Darkhotel and [there is] a ton of confirmation bias about targeting because of COVID-19," he said in a tweet.
I’m going to be a bit blunt here. This write up is full of speculation, no evidence this was actually DatkHotel, and a ton of confirmation bias about targeting because of Covid. Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims https://t.co/2K1ajklUwp— Brian Bartholomew (@Mao_Ware) April 6, 2020
"Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims."
In its post, Qihoo described Darkhotel as an APT gang that operated from East Asia. "[It] is behind a long-running series of cyberespionage-focused campaigns against corporate executives, government agencies, defence industry, electronics industry and other important sectors," the Qihoo researchers said.
"Its footprints in the cyber realm are all over China, North Korea, Japan, Myanmar, Russia and other countries. Their operations can be traced back to as early as 2007."
Qihoo said the attack had been through updates issued by SangFor, with the update program having been replaced by a backdoored version.
It claimed Chinese agencies were attacked in Italy, the UK, Pakistan, Kyrgyzstan, Indonesia, Thailand, the UAE, Armenia, North Korea, Israel, Vietnam, Turkey, Malaysia, Iran, Ethiopia, Tajikistan, Afghanistan, Saudi Arabia and India.
Qihoo is a prominent Chinese research firm, often publishing posts on various vulnerabilities. In March, it attracted attention for making the unusual claim that a group known as APT-C-39, which it claimed was affiliated to the US Central Intelligence Agency, had been hacking into Chinese Government agencies and companies over the last 11 years.