Chinese Hackers Used Mesh of Home Routers To Disguise Attacks (therecord.media) 25
An anonymous reader quotes The Record:
A Chinese cyber-espionage group known as APT31 (or Zirconium) has been seen hijacking home routers to form a proxy mesh around its server infrastructure in order to relay and disguise the origins of their attacks.
In a security alert, the French National Cybersecurity Agency, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), published a list of 161 IP addresses that have been hijacked by APT31 in recent attacks against French organizations. French officials said that APT31's proxy botnet was used to perform both reconnaissance operations against their targets, but also to carry out the attacks themselves. The attacks started at the beginning of 2021 and are still ongoing...
The Record understands that APT31 used proxy meshes made of home routers as a way to scan the internet and then launch and disguise its attacks against Exchange email servers earlier this year; however, the technique was also used for other operations as well.
In a security alert, the French National Cybersecurity Agency, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), published a list of 161 IP addresses that have been hijacked by APT31 in recent attacks against French organizations. French officials said that APT31's proxy botnet was used to perform both reconnaissance operations against their targets, but also to carry out the attacks themselves. The attacks started at the beginning of 2021 and are still ongoing...
The Record understands that APT31 used proxy meshes made of home routers as a way to scan the internet and then launch and disguise its attacks against Exchange email servers earlier this year; however, the technique was also used for other operations as well.
Re: (Score:1)
What the hell? An on-topic and relevant post, even if somewhat trivial advice?
And no grammatical mistakes? Who are you and what have you done to Chris's corpse?
Re: (Score:3)
What about the routers themselves?
I just got an offer for a free ZTE router from an ISP. There's been a lot of talk about backdoors left in these routers -- whether due to incompetence or malice is another issue.
Re: (Score:2)
Thanks. I cannot afford a business class router, but got my eyes on something like FritzBox -- https://en.avm.de/products/fri... [en.avm.de]
Re:Another reason... (Score:4, Insightful)
My network is behind a router behind my ISP's router.
If I "secure" the ISP's router by changing passwords, then I may make myself more vulnerable to liability, rather than it being "their" "responsibility".
If I leave it alone and let it be a dumpster fire then if anyone is held liable, it's them
Re: (Score:2)
Not at all, because I can't actually secure the thing; I'm not allowed to and/or it won't run what I want to run on it to make it secure anyway.
SO.. with all this proxying... (Score:4, Insightful)
... how do they know it was China?
or is that too obvious and inconvenient?
Re: (Score:2, Troll)
Exactly, it would great of journalists and law enforcement had enough understanding of technology to understand the internet cant resolve to the biological level.
And even if it could determine an actual human (not a bot or relay) was using a specific computer, how do they determine the nationality of that individual as opposed to the country they reside in.
Law enforcement are stupid idiots unfortunately.
Re:SO.. with all this proxying... (Score:5, Informative)
I know you're trolling but if you even just read the summary the identity of the group doing the hacking is APT31. Various hacking concerns get groupings based on their apparent skill level, the tools they use, types of operations they conduct, and particular strategies they use.
If a particular hack is investigated and is found to use tools (including things like C&C servers), strategies, and skill level of a known group there's a high likelihood that group in fact perpetrated the hack.
APT31 has been associated with China from forensic analysis of recovered tools/exploits and their targets. The actual address attacks come from is largely immaterial.
Re: (Score:1)
(1) Any country and even NGOs can have similar skill levels as a known group.
(2) Once a group does a certain technique that was unknown any country or person can use the same idea, as code doesn't exactly self-destruct, and can be reemployed. "Cyberweapons" aren't bombs. Even the US CIA/NSA could be using the same tools as APT31 once APT31 uses their tools even once.
Actual attribution is mostly political. Perhaps you can look at a target, and extrapolate that some country may have more interest in that tar
Those Chinese bastards! (Score:2)
That was my idea!
Re: (Score:3)
That was my idea!
If you wanted to keep it secret, you should have used a better password on your router...
Re: (Score:2)
If you wanted to keep it secret, you should have used a better password on your router...
Oh please, nobody is going to guess "hunter2".
No mesh (Score:4, Interesting)
Mesh, mesh, mesh.
I read the article, tweets, and French advisory and nothing talks about meshing except for the lamestream article.
Here I thought that the attackers had done something clever, like implemented their own private Tor or used client-mode configs to other AP's in apartment buildings for stealth.
But, no, they're just proxies.
Maybe next year.
Re: (Score:2)
The word "mesh" has normal, everyday meanings. It's not just a bespoke term of art.
Sooo (Score:2)
It's the red menace all over again yogi :] (Score:1)