Chinese hackers use this open-source VPN to mask spying activities
Chinese hackers are relying on legitimate VPN services to mask illegal activities, and for the first time a diplomatic organization in the European Union is one of their targets.
These findings come from the latter ESET report on the activities of APT (Advanced Persistent Threat) groups between April and September 2024.
The best VPN apps encrypt internet connections to prevent third-party access while spoofing users’ real IP addresses for maximum online anonymity. But what if those using these services are professional, government-backed hackers?
“One trend we have noticed among several China-linked threat actors is the use of SoftEther VPN instead of their usual implants or backdoors,” said Mathieu Tartare, senior malware researcher at ESET, told Cyberscoop.
SoftEther VPN is open-source virtual private network (VPN) software that can use HTTPS connections to establish a VPN tunnel. For example, this allows users to bypass a company’s firewall while blending in with legitimate traffic.
Experts observed that the Webworm APT group, a cyber espionage group linked to China, switched from full-featured backdoors (such as the Trochilus RAT) to the SoftEther VPN Bridge on compromised machines of several government organizations in the EU.
“Such a VPN bridge allows the attacker to establish direct communication between the attacker-controlled infrastructure and the victim’s local network, bypassing port filtering and gaining access to resources that may be blocked on the remote router or firewall of the targeted organization,” researchers said.
#ESETresearch has released its latest APT activity report covering April to September 2024 (Q2 2024 – Q3 2024). During this period, 🇨🇳 China-focused APT groups increasingly relied on VPN platforms – particularly the open-source SoftEther VPN – to maintain access to victims’ networks. 1/2 pic.twitter.com/HazCFT55UsNovember 7, 2024
Webworm was also not the only group that regularly uses SoftEther VPN. GALLIUM, Flax Typhoon and MirrorFace all used the VPN service during the research period, with the latter using it regularly since late 2023.
For the first time ever, the MirrorFace group also expanded its target list outside Japan, including an EU diplomatic organization in addition to the usual targets.
Investigators have not named the compromised organization. However, the attack still appears to be related to Japanese affairs, as hackers sent the victim a phishing email about the 2025 World EXPO exhibition, which will take place in Osaka.
Speaking to Cyberscoop, Tartare said that organizations should consider any SoftEther VPN executables deployed on the network as suspicious and block them if they are not needed. You should be especially wary of SoftEther VPN executables that don’t have the correct file name, he added.
For more tips and tools on how to secure your organizations, I recommend checking out our dedicated pages on the best business VPNs and endpoint security software on the market today.
