Chinese Communist Party hacked via its own VPN servers

Map of China with Smartphone and CCP flag

If ever there was a case of the pot calling the kettle black, this has to be it! A Chinese security company has detected Chinese Communist Party (CCP) online interests being attacked by state-sponsored foreign hackers.

If that didn’t seem ironic enough, it seems the vulnerability they have been using to launch these attacks are located in regimes own VPN servers.

CCP-backed VPN hacked

Regular readers and anyone who knows anything at all about the online habits of China’s Communist regime will know that VPNs are banned in the country. Furthermore, the regime has gone out of its way to try and punish anyone found to be using or selling VPNs in the country.

Despite this campaign, VPN use is still widespread across the country as it is the only effective way to bypass the regime’s online censorship and surveillance, which is the most oppressive and intrusive in the world.

You might think that those who are complicit in the Communist regime’s online oppression and wider humanitarian abuses might not have the brass neck to complain when they get a taste of their own medicine, but Qihoo 360 clearly does.

Qihoo 360 is a Chinese online security analysis company and it has apparently identified an attack which has compromised a zero-day vulnerability in a Chinese state-backed VPN provider called Sangfor SSL VPN.

If you are a little confused by this, you may recall reading our previous articles about how the CCP has banned foreign VPNs but is more than happy for people to use domestic VPNs.

That’s mostly because these VPNs are tools of the Chinese state and far from protecting users information, they hand over every bit of information about all connections routed through them to the CCP.

Sangfor SSL VPN is one of these CCP puppet VPNs and it just happens to be used by a whole host of CCP-backed enterprises and government agencies.

It is also apparently not that secure. According to Qihoo 360, they have identified more than 200 servers on Sangfor SSL VPN’s network that appear to have been successfully hacked by what Qihoo claims are foreign government agents.

An enormous 174 of those were located either on the networks of government agencies in Beijing and Shanghai or on the networks of CCP diplomatic missions in countries as diverse as the United Kingdom, Italy, Pakistan, Indonesia, Israel, Turkey, Iran, and Saudi Arabia.

How Sangfor SSL VPN was hacked

According to the report from Qihoo 360, the attackers were a hacking group known as Dark Hotel, who are believed to operate on the Korean peninsula. Given that North Korea is a CCP protectorate and has almost no internet access apart from for its political leaders, it is safe to say they are South Korean.

The group is one of the most sophisticated of its type in the world. They are believed to have used a zero-day vulnerability to access the servers before replacing a key update file with a booby-trapped version.

When installed, this file would implant a backdoor trojan onto their devices and allow the hacking group to access traffic.

Zero-day vulnerabilities appear to be a trademark of Dark Hotel and this is believed to be the third such attack using such a vulnerability to have been identified this year. They have also used similar vulnerabilities in Internet Explorer and Mozilla to target CCP and Japanese government agencies.

Vulnerability patched

This particular hack is believed to have been focused on the coronavirus outbreak since it only began in March.

The CCP’s attempts to cover up and play down the outbreak are largely the reason why the pandemic has managed to sweep the world, kill so many people, and shut down almost every major economy.

It is therefore sad to say that Qihoo 360’s report means that this particular breach is likely to be closed in the coming days. Sangfor SSL VPN has refused to comment to western media about the breach but a post on the CCP-controlled WeChat network admitted it had been compromised and promised a fix in the coming days.

It also plans to release a script to detect if hackers have compromised VPN servers, and a second tool to removes files deployed by Dark Hotel.

It seems odd to be writing a piece mourning the fact that a state-sponsored hack has been successfully identified. But given the chaos and pandemonium that the CCP’s coronavirus has wrought on the world, any efforts to undermine its attempts to get away with it must be encouraged.

The good news for us here in the west is that the ease with which Dark Hotel was apparently able to compromise Sangfor SSL VPN servers shows the low-quality security measured that have been deployed by many of these CCP-backed organisations.

Such slapdash efforts are commonplace in totalitarian dictatorships and so will come as no surprise. But it does mean that there are likely to be many more such vulnerabilities some of which are undoubtedly being exploited even as you read this.

That means hopefully the truth about the coronavirus crisis and the CCP’s wider humanitarian abuses will eventually come out and the regime itself will one day face the consequences.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *