According to a Dutch company report Fox-IT, the hacking team is known to cyberspace as a APT20 and works for the Beijing government.
Key objectives of attacks is government entities and managed service providers (MSPs), active in sectors such as aviation, healthcare, finance, insurance and energy.
Hacking incidents related to APT20
What has the APT20 been doing in the last two years?
According to the researchers, the hackers used them web servers as the initial entry point to systems of goals. In fact, they were focused on JBoss, an application platform for businesses often used in large corporate and government networks.
APT20 hackers exploited vulnerabilities which gave them access to the servers. Then they settled web shells and spread within the systems of the victims.
However, the hackers managed not to notice these two years.
They did this using legal tools that were already installed in hacked Appliances. Thus, they were not understood by the antivirus programs.
APT20 bypasses two-factor authentication (2FA)
The researchers found that APT20 hackers breached 2FA-protected VPN accounts.
How they did it is not known yet. However, researchers have made a case. They believe the APT20 stole one RSA SecurID software token from a hacked system and used it to create valid one-time codes and bypass the 2FA.
In order to use one of these software tokens, the user would have to connect a physical hardware to their computer. The device and the software token are able to generate a valid 2FA code. If the device does not exist, RSA SecureID software will cause an error.
How did the hackers get over this issue? Fox-IT researchers explain:
Software token is created for a specific system, but hackers have access in the victim's system, so things are simple.
All it takes for hackers to use two-factor authentication (2FA) codes is to steal an RSA SecurID Software Token.
Fox-IT researchers said they were able to find out the APT20 attacks because one of the victim companies requested an investigation into a hacking incident.
More details about these attacks can be found in a report by the name "Operation Wocao".
Hackers try to run various commands on Windows. When the commands fail, the APT20 hackers realize that they have been perceived and type in one last command, the wocao, which in Chinese slang means "to get!"