Chinese hackers hit Citrix, Cisco vulnerabilities in sweeping campaign

APT 41 is known for its gaming, telecommunications, healthcare, and education targets — but this blows its past campaigns out of the water.
APT 41
APT41 in particular went after vulnerabilities in Citrix's Application Delivery Controller (ADC), Cisco's routers, and Zoho's ManageEngine Desktop Central, according to FireEye. (Getty)

Earlier this year, state-backed Chinese hackers embarked on one of the most sweeping Chinese espionage campaigns FireEye has seen in years, according to new research the security firm published Wednesday.

The campaign, which lasted between January 20 and March 11, targeted 75 organizations ranging in nearly every economic sector: telecommunications, healthcare, government, defense, finance, petrochemical, manufacturing, and transportation. The campaign, believed to be run by APT41, targeted nonprofit, legal, real estate, travel, education, and media organizations as well.

“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,” researchers Christopher Glyer, Dan Perez, Sarah Jones, and Steve Miller said. “While APT41 has previously conducted activity with an extensive initial entry … this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.”

APT41 zeroed in on victims by going after vulnerabilities in Citrix’s Application Delivery Controller (ADC), Cisco’s routers, and Zoho’s ManageEngine Desktop Central, according to FireEye.


The Citrix vulnerability was publicly revealed a month prior to APT41’s campaign, and a researcher only revealed code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central three days before the group took advantage, suggesting the group is interested in promptly taking advantages of reported flaws.

“This new activity from this group shows how resourceful and how quickly this group can leverage newly disclosed vulnerabilities to their advantage,” the researchers said.

FireEye does not have a copy of the malware deployed against the Cisco routers, but has reason to believe APT41 designed malware in-house to make its targeting a success, Glyer told CyberScoop.

“It is likely that APT41 had to develop custom malware to target Cisco routers because public samples are not available,” Glyer said.

It’s not the first time APT41 has gone after the telecommunications sector. Last year, the group was focused on collecting call records data and text messages after it breached a telecommunications company, according to an earlier FireEye investigation. At the time, Steve Stone, advanced practices director at FireEye, told CyberScoop APT41 appeared interested in political dissidents’ conversations.


FireEye gave a name to the group last year for the first time, but the group has been known to conduct state-sponsored cyber-espionage. It has also run cyber-operations aimed at personal or financial gain. APT41 has also targeted the gaming sector, hacked organizations focused on cancer research, and successfully exploited an Atlassian Confluence vulnerability against a U.S. based university, according to FireEye.

APT41 in this campaign in particular went after the banking sector most frequently, followed by higher education and manufacturing and technology targets, FireEye Chief Security Architect Chris Glyer told CyberScoop.

Knowledge of targets and diverse access

Although some targets of APT41’s campaign earlier this year echo its previous crusades, the attack’s goals are less clear.

In February, APT41 was able to successfully exploit a Cisco RV320 router at a telecommunications entity, but FireEye does not have visibility into what exploit was used. It’s also unclear if APT41 actually stole any data from its targets throughout the campaign.


“Based on our current visibility it is hard to ascribe a motive or intent to the activity by APT41,” Glyer told CyberScoop. “There are multiple possible explanations for the increase in activity including the trade war between the United States and China as well as the COVID-19 pandemic driving China to want intelligence on a variety of subjects including trade, travel, communications, manufacturing, research and international relations.”

Glyer said the most likely explanation for the broad targeting was that APT41 is working to set current and future collection requirements. If it’s any indication of what is a priority, the Citrix-based targeting made up the lion’s share of APT41’s focus, Glyer said.

The group’s Citrix-based targeting indicates APT41 may have had some prior knowledge of their targets, suggesting the campaign was tailored.

“[A]ll observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet,” the researchers wrote.

To exploit vulnerabilities in both the Citrix ADC and Citrix Gateway devices between January and February, the hackers first did an initial check to see if the target had already applied the patch for CVE-2019-19781 and to collect architecture information that can help the group to install a backdoor later. With a brief pause in activity during both Lunar New Year — as is typical for Chinese hackers — and during coronavirus-related quarantines in China, APT41 eventually worked to download an unknown payload, named ‘bsd,’ which FireEye suspects to be a backdoor.


APT41 also proved to be adept at reacting to changes in victims’ environments. The hackers’ exploitation of the Zoho vulnerability, for instance, showed they were concerned about keeping access to victim’s machines. FireEye says the group worked to use both a Meterpreter downloader and a Cobalt Strike BEACON shellcode, both of which communicated with the same command and control server.

“We believe this is an example of the actor attempting to diversify post-exploitation access to the compromised systems,” the researchers write.

One clue the hackers may have worked to conceal their activities may lie in the fact that the hackers only relied on publicly available malware, such as Cobalt Strike and Meterpreter, in this campaign, since using malware at this stage “can this make attribution more difficult,” Glyer told CyberScoop.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts