Operation Wocao Exposes One of China’s Hidden Hacking Groups
A new report by Netherlands-based Fox-IT, part of U.K.-based NCC Group, exposes in greater detail a previously underreported threat actor believed to be operating on behalf of the Chinese government for espionage purposes. The researchers identified victims in 10 countries, ranging from government entities to managed service providers, and across several industries, including energy, health care and high-tech.
For the past two years, the group has been stealing passwords and circumventing two-factor authentications as well as performing other malevolent activities. Fox-IT researchers believe the hacking group is APT20, judging by the patterns in tools, techniques and procedures. Government-backed hacking groups tend to be well funded, resource rich and highly focused. This makes finding their footprints particularly challenging for security teams.
The Fox-IT security researchers assigned the name Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) to the group’s hacking activities, which often slide by undetected. According to the report, details on how this group operates include:
- They carry out most of their activities on the basis of access through legitimate channels.
- For backup purposes, they may keep additional access methods in place.
- They move through the network, directly singling out workstations of employees with privileged access.
- On these systems, the contents of passwords vaults (password managers) are directly targeted and retrieved.
- As much as is possible, they remove file system-based forensic traces of their activities, making it much harder for investigators to determine what happened after the fact.
- On the basis of the above, an attacker can efficiently achieve their goal of exfiltrating data, sabotaging systems, maintaining access and jumping to additional targets.
- Overall the actor has been able to stay under the radar even though the tools and techniques they use for their hacking operations are relatively simple and to the point.
Fox-IT recommends the following actions to help mitigate this threat actor:
- Zero Trust or Robust segmentation must be one of the guiding principles of any infrastructure, both for systems and identities. As part of that, leveraging Microsoft’s Enhanced Security Administrative Environment (ESAE) where applicable will greatly increase resilience and can prevent many attacks from succeeding.
- Timely detection of and adequate response to any serious incident should include a combination of high-level and low-level telemetry from network and endpoints.
There are other steps that can be taken to improve defenses too, including patching skill gaps.
“Up to 30% of untrained staff are highly susceptible to the attacks that do succeed. Just like technical defenses, staff can be ‘patched’ to reduce their vulnerabilities to phishing attacks, by training them in a holistic, integrated way. Treat people and systems as parts of the whole,” said Colin Bastable, CEO of security awareness training company Lucy Security.
“A holistic approach to cybersecurity is essential — deploy technical defenses and ‘patch’ your staff to significantly protect assets through defense in depth,” Bastable added.
MSSPs and other security providers are advised to stay vigilant against nation state threat actors, as they tend to target both public and private entities to obtain information for espionage purposes, to influence elections, to gain access to other targets and to create havoc and damage in the real world.
The Center for Strategic & International keeps tabs on nation state attacks. It has determined China to be a top offender. Its “Survey of Chinese-linked Espionage in the United States Since 2000” report lists 137 publicly reported instances of Chinese espionage directed at the United States.
“It reached this conclusion from examining public data only. The true depth of China’s efforts — and successes — in penetrating western networks is probably still unknown,” warns Strand Consult in a threat brief.