Researchers Link Disparate Chinese Hacking Groups

The Chinese government appears to have centralized control over several hacking groups previously believed to be separate threat actors, the BlackBerry Cylance Threat Intelligence security researchers say. 


The investigation into the activity of these groups was triggered by a recent Area 1 report (PDF) suggesting that Chinese groups were able to compromise diplomatic cables belonging to the European Union and accessed sensitive information belonging to the United Nations. 


Over 100 additional organizations (including foreign and finance ministries, think-tanks and trade unions) were apparently hacked by groups linked to the Chinese government’s Strategic Support Force (SSF), a Chinese military organization, the report revealed. 


One of the indicators of compromise in the report was a domain apparently used as a command and control (C&C) server, which the BlackBerry Cylance security researchers have linked to a host of disparate Chinese APT groups. 


The researchers also found evidence that different Chinese APT groups have been using the same malware - and in some cases, the same exploit builder. 


China’s SSF, the security researchers explain, was created in 2015 after the reorganization of “disparate Chinese military units responsible for space operations, electronic warfare, information operations, psychological operations, espionage, technical reconnaissance, and network warfare.” 


The Third Department of the People’s Liberation Army (PLA), which the U.S. Justice Department refers to as the “APT 1” actor, is one of these units. The actor is focused on targeting external entities.


What BlackBerry Cylance found was a connection with other Chinese government efforts to spy on internal groups, a task norma ..