Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Target Prominent Chinese-Language News Sites

Several prominent Chinese-language news websites that are blocked in China have been targeted in malware, phishing and reconnaissance attacks, according to a new report from the University of Toronto’s Citizen Lab group.

Several prominent Chinese-language news websites that are blocked in China have been targeted in malware, phishing and reconnaissance attacks, according to a new report from the University of Toronto’s Citizen Lab group.

Citizen Lab learned of the attacks after being contacted by China Digital Times (CDT), a California-based bilingual news website covering China. Someone purporting to be a UC Berkeley student sent an email to a CDT journalist claiming to have “insider information” on cyberattacks launched at Mingjing News after it interviewed a Chinese billionaire who accused high-ranking officials in China’s Communist Party of being corrupt. Other CDT staff received similar emails the following days.

The messages contained a link pointing to a fake CDT website designed to redirect users to a WordPress phishing page. CDT does run on WordPress and the fake login page was well designed, suggesting that the attacker had put considerable effort into the campaign.

The attack on CDT lasted for roughly 20 days, but it did not appear to be successful and the threat group moved on to other targets. An analysis of the server used to host the phishing website and registration data showed that the group had also set up several other domains designed to mimic popular Chinese-language news websites that are blocked in China.

This includes Mingjing News, Epoch Times, HK01 and Bowen Press. The fake domains have apparently been set up for various purposes, including phishing, malware delivery and reconnaissance.

While Citizen Lab identified fake domains designed to mimic the ones of the aforementioned news websites, researchers were unable to confirm that these organizations were directly targeted by the threat group.

The malware involved in the attacks is NetWire, a remote access trojan (RAT) known to be used by several actors. The malware was configured to bypass detection and make analysis more difficult.

The threat group is believed to have targeted Chinese-language news sites since at least 2015. Researchers also discovered links between this campaign and a 2013 operation aimed at a Tibetan radio station, and a 2015 attack targeting Thai government agencies. The digital certificate used to sign the malware is the same as one spotted last year in attacks aimed at the gaming industry.

One possibility is that the same threat group is behind all operations, but a more likely scenario is that different actors have shared some resources.

As far as attribution is concerned, Citizen Lab pointed out that the targeted organizations are of interest to the Chinese government.

“It is noteworthy that all of the fake websites our researchers discovered in this campaign are meant to mimic news websites that publish content critical of the Chinese government. It is possible the operators behind this campaign are ‘hackers for hire’ — typical of the way in which a lot of cyber espionage is outsourced in China,” explained Ronald Deibert, director of Citizen Lab. “However, we are unable to positively attribute this campaign to a specific state agency.”

Related Reading: Operation Cloud Hopper: China-based Hackers Target Managed Service Providers

Related Reading: APT3 Hackers Linked to Chinese Ministry of State Security

Related Reading: China-Linked Hackers Target U.S. Trade Group

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.