In December 2019, a Dutch cybersecurity firm Fox-IT published a report explaining that a Chinese government-linked hacker group known as APT20 was attacking governments, managed service providers, and businesses based in France, Germany, Italy, Mexico, Portugal, Spain, United Kingdom, United States, as well as in Brazil and China. APT20 gained access to the systems of organizations in sectors such as energy, health care and aviation. Fox-IT found that the hacker group had obtained VPN credentials, on occasion bypassing the two-factor authentication (2FA) protection meant to prevent such credential theft and used the VPN accounts as backdoors into the victims’ networks. The cyber security firm found traces of Chinese language settings in the attack and determined that the attackers were most active during the habitual working hours of the China standard time time zone. Based on the techniques and tools used by the group, they attributed the activity, with medium confidence, to Chinese threat actor APT20.
Cybercampaign by Chinese state-affiliated APT20 bypasses two-factor authentication