A Chinese security firm says DarkHotel hackers are behind an espionage campaign, but researchers want more details

Did an APT group with roots in South Korea use VPN services to spy on the Chinese government?

A well-resourced hacking group with possible ties to South Korea has launched an apparent espionage campaign against the Chinese government as international governments grapple with the COVID-19 pandemic, according to a Chinese security firm.

An advanced persistent threat group known as DarkHotel has compromised more than 200 virtual private network servers to infiltrate “many” Chinese institutions and government agencies, Qihoo 360 said in a report published Monday. In one case, DarkHotel hackers used a previously unknown software vulnerability in the enterprise Sangfor SSL VPN software, then installed malicious software onto victim machines to collect user data. The timing of the attack coincides with instructions from the Chinese government forcing citizens to work from home in order to mitigate COVID-19’s spread.

Outside security researchers with experience chasing nation-state hacking groups immediately questioned whether Qihoo 360 could be sure that the DarkHotel group could be behind the campaign.

“I’m going to be a bit blunt here,” tweeted Brian Bartholomew, a researcher from Kaspersky, which tracks DarkHotel. “This write up is full of speculation, no evidence this was actually [DarkHotel], and a ton of confirmation bias about targeting because of COVID. Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims.”


VPN services are meant to provide remote workers with an additional layer of security when they’re working outside the office, a level of trust that Qihoo says hackers have used against their victims since at least March.

“If the VPN server is compromised at this moment, the consequences will be unimaginable,” the company said in its report Monday.

Qihoo 360 is a Beijing-based security firm perhaps best known for its antivirus products and mobile security offerings. The company’s research often aims to highlight threats against Chinese internet users, where most of Qihoo 360’s visibility lies, though its public reports often parallel China’s Communist Party line.

In a March report short on technical details, Qihoo 360 accused the CIA of carrying out an 11-year espionage campaign against China. Those allegations were based on researchers’ analysis of the so-called Vault 7 hacking tools allegedly leaked by a former CIA software developer, the company said in a blog post. Chinese state media agencies cited that Qihoo report to suggest U.S. “hypocrisy in cyberspace.”

In this case, the company’s findings come as interest in the DarkHotel hacking group grows. Researchers from Kaspersky, a Russian security firm, told Wired last month that DarkHotel used five zero-day vulnerabilities in 2019 to launch attacks against Chinese and North Korean targets. The group has been active since at least 2004, and has differentiated itself by using hotel and business WiFi networks, as well as peer-to-peer channels, to spread its attacks undercover.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts