A Chinese government-linked hacking group that was thought to be dormant has been targeting companies and government agencies for the last two years, harvesting data after stealing passwords and circumventing two-factor authentication intended to prevent such attacks, according to security researchers.

Operation Wocao is the name that cybersecurty firm Fox-IT uses to describe the hacking activities of a Chinese based hacking group.

Fox-IT released a report detailing the profile of a publicly underreported threat actor that the firm has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20. The researchers have identified victims of this actor in 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.

The sepcific threat actor carry out most of their activities on the basis of access through “legitimate” channels. VPN access is an example of such a channel, and the security researchers have even seen APT20 abuse 2FA soft tokens.

They move through the network, directly singling out workstations of employees with privileged access (administrators). On these systems, the contents of passwords vaults (password managers) are directly targeted and retrieved.

As much as is possible, they remove file system based forensic traces of their activities, making it much harder for investigators to determine what happened after the fact. On the basis of the above, an attacker can efficiently achieve their goal of exfiltrating data, sabotaging systems, maintaining access and jumping to additional targets.

There was also at least one target within China, a semiconductor company, according to Fox-IT.

The hackers would usually gain entry to an organization’s systems by exploiting a vulnerability on web servers that the company or government agency operated. They would then penetrate further to identify people -- usually system administrators -- with privileged access to the most sensitive parts of the computer network, according to Fox-IT’s report.

The hackers would place keylogger software on system administrators’ computers, which record keystrokes and can reveal passwords. The group was also able in at least one case to compromise a RSA SecurID two-factor authentication system, replicating its codes, which are designed to thwart hackers by providing an extra layer of security in addition to a password, according to Fox-IT.