6 May 2021

Chinese military unit suspected of cyber-espionage buys foreign antivirus software


Chinese military unit suspected of cyber-espionage buys foreign antivirus software

Unit 61419 of the Chinese People’s Liberation Army (PLA), which is believed to be behind cyberattacks on multiple Japanese organizations, bought antivirus software from several major Western security companies, according to the procurement documents obtained by Recorded Future’s Insikt Group.

The purchases were made in 2019 through local intermediaries and included antivirus software from Kaspersky, Bitdefender, Trend Micro, ESET, Dr.Web, Sophos, Symantec, McAfee, and Avira.

“Insikt Group assesses that the purchase of foreign antivirus software by the PLA poses a high risk to the global antivirus software supply chain,” the researchers said pointing out that the Chinese government has not used foreign antivirus software for legitimate purposes since 2014, when it was banned.

Recorded Future says there are two possible scenarios for the PLA’s exploitation of foreign antivirus software:

Scenario 1: PLA cyber units and affiliated hacking groups will use foreign antivirus programs as a testing environment for natively developed malware. They will run the malware through foreign antivirus products to test its ability to evade detection, thereby making it more likely to successfully infect its targeted victims.

Scenario 2: PLA cyber units and affiliated hacking groups will reverse engineer the foreign antivirus software code to find previously undisclosed vulnerabilities. They will then use the newly discovered vulnerabilities in a zero-day attack for initial intrusion.

Last month, Japanese authorities opened an investigation into alleged cyber attacks thought to have been carried out by a hacker group working on behalf of the Chinese People's Liberation Army. The attacks targeted nearly 200 companies and organizations in Japan, including the Japan Aerospace Exploration Agency (JAXA), research institutions, and defense-related firms.

Back to the list

Latest Posts

Google fixes yet another Chrome 0Day exploited in the wild

Google fixes yet another Chrome 0Day exploited in the wild

In addition to CVE-2021-30554, Chrome 91.0.4472.114 resolves three high-risk vulnerabilities that allow a remote attacker to compromise a vulnerable system.
18 June 2021
Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

The threat actor deployed the MarkiRAT malware able to steal data and hijack the infected user’s Chrome browser and their Telegram app.
17 June 2021
DarkSide affiliates shift to software supply chain attacks

DarkSide affiliates shift to software supply chain attacks

UNC2465 compromised a website of a CCTV camera vendor and planted malware in the Dahua SmartPSS Windows app.
17 June 2021