On Monday, the Biden administration announced a criminal indictment and sanctions against a group of Chinese hackers for their role in allegedly conducting hacks against companies in the US, as well as government officials.
The US government charged seven hackers, from the group known as APT31; in a related move, the British government announced sanctions on a front company, as well as two individuals in connection with a breach at the UK’s Electoral Commission.
The US government noted that the group spent about 14 years targeting US and foreign businesses and political officials.
“Today both the UK and US governments announced action against APT31, a Chinese hacking group focused on nation-state cyber espionage,” says Sergey Shykevich, threat intelligence manager at Check Point Research.
“In the UK, APT31 conducted reconnaissance against multiple Parliament Members while the Chinese affiliated group also compromised the systems at the UK Electoral Commission and records of 40 million UK voters. In the US, the nation-state hackers sent over 10,000 malicious emails to journalists, politicians and companies with the goal of compromising government institutions, stealing trade secrets and repressing critics of the Chinese government. This looks to be a coordinated action between the UK and US governments in sending a message to China that they will not tolerate such intrusions. It’s important to note that APT31 has been active for years and has launched many hacking campaigns around the world. As cyber threats grow and threat actors become more sophisticated, it will be increasingly important for governments to collaborate to prevent threats and act against the attackers.”
Check Point Research has written extensively about APT31, including a deep dive into how the group used zero-day attacks.
The group is allegedly run by the Chinese Ministry of State Security, targeting people in the UK, US and European Union for over a decade. China has denied the charges.
APT31 has been linked to several high-profile attacks, including a hack of Microsoft Exchange server in the UK that the British government says compromised tens of thousands of computers.
“In light of the Deputy Prime Minister’s proposed action against Beijing, the Government’s focus on nation-state cyber espionage has never been more apparent,” says Muhammad Yahya Patel, Lead Security Engineer and member of the Office of the CTO. “Politically, the move to attribute the Electoral Commission breach to China signals a pivotal moment in diplomatic relations. While it is important to be transparent about the potential threats to national security and the demographic process, we need to be mindful of the message this could send to other authoritarian nation states about the UK’s cybersecurity posture. I hope that the lessons learned from this incident means the UK Government will address the lack of preventative measures that could have bolstered defenses against the attack. This needs to be front of mind when educating organizations and proactively addressing any gaps or vulnerabilities to prevent incidents in the future.”
Both the UK and US have alleged that APT31 uses traditional phishing techniques in their attacks; according to the US government, APT31 utilized hidden tracking links. When end-users opened these emails, vital information like location, device and IP addresses were transmitted back to the hackers.
In light of these, and other targeted campaigns, Check Point Research recommends security professionals do the following:
- Implement security with robust URL protection to scan and emulate webpages before click
- Report suspicious emails immediately
- Investing in an Anti-Phishing solution, like Check Point Harmony Email & Collaboration, that offers comprehensive protection against phishing attempts