Operation Wocao Exposes One of China’s Hidden Hacking Groups

Written by Pam Baker
December 20, 2019

Report reveals new details on APT20 believed to be working on behalf of Chinese government in espionage purposes.

A new report by Netherlands-based Fox-IT, part of U.K.-based NCC Group, exposes in greater detail a previously underreported threat actor believed to be operating on behalf of the Chinese government for espionage purposes. The researchers identified victims in 10 countries, ranging from government entities to managed service providers, and across several industries, including energy, health care and high-tech.

For the past two years, the group has been stealing passwords and circumventing two-factor authentications as well as performing other malevolent activities. Fox-IT researchers believe the hacking group is APT20, judging by the patterns in tools, techniques and procedures. Government-backed hacking groups tend to be well funded, resource rich and highly focused. This makes finding their footprints particularly challenging for security teams.

The Fox-IT security researchers assigned the name Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) to the group’s hacking activities, which often slide by undetected. According to the report, details on how this group operates include:

They carry out most of their activities on the basis of access through legitimate channels.
For backup purposes, they may keep additional access methods in place.
They move through the network, directly singling out workstations of employees with privileged access.
On these systems, the contents of passwords vaults (password managers) are directly targeted and retrieved.
As much as is possible, they remove file system-based forensic traces of their activities, making it much harder for investigators to determine what happened after the fact.
On the basis of the above, an attacker can efficiently achieve their goal of exfiltrating data, sabotaging systems, maintaining access and jumping to additional targets.
Overall the actor has been able to stay under the radar even though the tools and techniques they use for their hacking operations are relatively simple and to the point.

Fox-IT recommends the following actions to help mitigate this threat actor:

Zero Trust or Robust segmentation must be one of the guiding principles of any infrastructure, both for systems and identities. As part of that, leveraging Microsoft’s Enhanced Security Administrative Environment (ESAE) where applicable will greatly increase resilience and can prevent many attacks from succeeding.
Timely detection of and adequate response to any serious incident should include a combination of high-level and low-level telemetry from network and endpoints.

There are other steps that can be taken to improve defenses too, including patching skill gaps.

Lucy Security’s Collin Bastable

“Up to 30% of untrained staff are highly susceptible to the attacks that do succeed. Just like technical defenses, staff can be ‘patched’ to reduce their vulnerabilities to phishing attacks, by training them in a holistic, integrated way. Treat people and systems as parts of the whole,” said Colin Bastable, CEO of security awareness training company Lucy Security.

“A holistic approach to cybersecurity is essential — deploy technical defenses and ‘patch’ your staff to significantly protect assets through defense in depth,” Bastable added.

MSSPs and other security providers are advised to stay vigilant against nation state threat actors, as they tend to target both public and private entities to obtain information for espionage purposes, to influence elections, to gain access to other targets and to create havoc and damage in the real world.

The Center for Strategic & International keeps tabs on nation state attacks. It has determined China to be a top offender. Its “Survey of Chinese-linked Espionage in the United States Since 2000” report lists 137 publicly reported instances of Chinese espionage directed at the United States.

“It reached this conclusion from examining public data only. The true depth of China’s efforts — and successes — in penetrating western networks is probably still unknown,” warns Strand Consult in a threat brief.

One comment

Alvin Bernstein January 2, 2020 @ 9:17 am

Reply

I had my offices servers and applications at an MSP that had its own data center, but the service and performance was terrible, and we had a feeling that security was simply not up to par with what we needed for HIPAA compliance and disaster recovery. Our medical offices throughout New Jersey could not afford any downtime. I met with several other vendors and finally found one that provided honest advice and recommendations. Baroan Technologies really stood apart from the rest and migrated us to Microsoft Azure. This way we know that it is not up to a basic MSP like Synoptek anymore, but the servers are really in Azure. I also like that I’m not in a vendor lock with any MSP. I can transfer the Azure servers to the management of any company that I want. Baroan handles everything for a fixed fee. We have two factor MFA with DUO and Microsoft for our email, our terminal server, just about everything. I got peace of mind, so I never have to think about a disaster like what happened with Synoptek and their customers. I recommend that any business that has their servers at the private data center of any MSP should question why it is so. Find an IT vendor like Baroan Technologies that cares more about your business then just their own interests and take steps before there is a disaster.