In this photo taken Tuesday, March 3, 2020, a worker stands near Chinese national flag and propaganda which reads "Go China" in Beijing.

In this photo taken Tuesday, March 3, 2020, a worker stands near Chinese national flag and propaganda which reads "Go China" in Beijing. AP Photo/Ng Han Guan

Chinese Hackers Attacked Foreign Health Care, Military, Oil Networks as Coronavirus Hit China

In January, the ‘widespread’ assault targeted a vulnerability in virtual desktops, cloud computing, and network applications, FireEye announced.

As the coronavirus epidemic reached crisis level in Wuhan, China, in January, a known group of state-backed cyber hackers launched attacks at healthcare companies and other key industries outside the country, according to cybersecurity company FireEye. 

FireEye announced their findings on the attacks Wednesday morning, calling it “one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years.

The Chinese hackers, a group known as APT41, are affiliated with the government but also conduct financial crimes for personal gain. FireEye reports that they targeted a specific known vulnerability in the national vulnerabilities database (CVE-2019-19781 affecting Citrix Application Delivery Controllers) on Jan. 20. The vulnerability could allow attackers to exploit virtual desktop, cloud computing, and networking applications to steal data. The group also hit military installations and oil and gas targets, FireEye said, without naming where or in which countries to protect the identity of their clients.  

FireEye says there was a dropoff in the group’s cyberattacks five days later, around the Chinese New Year, which occurred on Jan. 25, which is common among China-based threat groups. China began to implement very strict quarantine measures in Hubei province on Jan. 23 suggesting that the activity was going on as the pandemic picked up momentum. There was another drop off between Feb. 2 and 19.

“While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways which we were unable to observe with FireEye telemetry,” they write in a blogspot posted Wednesday. Defense One is unable to independently verify their claims.

Activity picked up again shortly after Feb. 19, they report. The current wave of attacks “seems to reveal a high operational tempo and wide collection requirements for APT41.”

The unprecedented level of remote working and living during the coronavirus pandemic has also seen an increase in cyberattacks, most notably phishing attacks targeting individuals with phony links and emails, according to cybersecurity company CrowdStrike. Attackers are coming from,  but are not limited to sources inside China. 

“We’re seeing this from both nation-state actors, notably groups in China we track under PANDA designations, as well as criminal groups,” Robert Sheldon, CrowdStrike director of Government Technology Strategy, said in an email to reporters on Monday. PANDA is how CrowdStrike designates advanced persistent threat groups from China.

The Pentagon has been worried about increased cyberattacks in light of increased telework. On March 16, during a “virtual town hall, Essye Miller, DOD’s principal deputy chief information officer, said that adversaries are “already taking advantage of the situation and the environment that we have on hand.” 

On Tuesday, Defense Secretary Mark Esper reminded Defense Department personnel in another virtual town hall that working from home carried its own risks. 

“If you’re teleworking, if you’re doing anything that involves the networks and IT, be very, very careful of IT vulnerabilities. We are a little bit more exposed when we’re doing telework,” he said.