Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



South Korea-Linked Hackers Targeted Chinese Government via VPN Zero-Day

A threat actor linked to South Korea has launched attacks against Chinese government agencies using a zero-day vulnerability affecting a local VPN service, Chinese cybersecurity firm Qihoo 360 reported on Monday.

A threat actor linked to South Korea has launched attacks against Chinese government agencies using a zero-day vulnerability affecting a local VPN service, Chinese cybersecurity firm Qihoo 360 reported on Monday.

The threat group, tracked as DarkHotel, has been tied by some members of the industry to South Korea. Qihoo 360 does not directly accuse South Korea of being behind the attacks, but says the threat actor is located in the Korean Peninsula and notes that its victims include North Korea.

According to Qihoo 360, DarkHotel targeted many Chinese institutions starting in March. The attackers exploited a previously unknown security hole in the Sangfor VPN service to deliver backdoor malware.

Sangfor Technologies is a provider of IT infrastructure solutions with over 5,000 employees. The company is based in China, but it has offices all across Southeast Asia and an R&D center in the United States.

Qihoo and Sangfor said hackers exploited a zero-day vulnerability in the update process of VPN clients to replace legitimate updates with a backdoor. The Chinese cybersecurity firm said the attackers served the malware from roughly 200 compromised VPN servers.

Sangfor quickly took measures to block attacks after being notified, and the company has promised to release patches for the vulnerability in the upcoming days.

Qihoo reported that the attacks targeted organizations in China, as well as Chinese entities located in other countries, including Italy, UK, UAE, North Korea, Israel, Turkey, Malaysia, Iran, Saudi Arabia, India, Pakistan, Thailand, Indonesia, Ethiopia, Tajikistan, Kyrgyzstan and Afghanistan.

Qihoo believes the attack is likely related to the coronavirus outbreak and the hackers could aim to spy on “China’s medical technology and virus-control measures.”

“Is it also possible that, by attacking Chinese overseas agencies, the group’s real purpose is to grasp the supply transport routes, quantity, and equipment of the quarantine materials that China sends to other countries around the world. What’s more, is it aiming at further probing into the medical data of the epidemic in more countries?” the company’s researchers said.

They added, “Another speculation is that the group may also want to know the relationships between China and other countries by analyzing the political and economic transactions data as well as the economic mitigation measures, so as to further promote the rise of the national economy and balance the interests of various countries after the pandemic.”

A few weeks ago, Qihoo 360 reported that DarkHotel had exploited zero-day vulnerabilities in Firefox and Internet Explorer in attacks aimed at Chinese government organizations. Japan also reported being targeted as part of the same campaign.

Google revealed recently that DarkHotel last year exploited five zero-day flaws in attacks launched mostly against targets in North Korea and individuals working on North Korea-related issues.

Related: Chrome Zero-Day Vulnerability Exploited in Korea-Linked Attacks

Related: ‘DarkHotel’ APT Uses New Methods to Target Politicians

Related: China-Linked Group Uses New Malware in Japan Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona