In a report published today (http://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html), Qihoo 360 made it public that it detected an APT attack that delivers malicious files through hijacked security services of a domestic VPN provider. They have reported the vulnerability details to the service provider and received confirmation. Further reversing shows that the attack can be attributed to the Darkhotel (APT-C-06), an APT gang in the Korean Peninsula. Since March this year, more than 200 VPN servers have been compromised and many Chinese institutions abroad were under attack. In early April, the attack spread to government agencies in Beijing and Shanghai.
The monitoring and analysis also suggest that a large number of VPN servers and endpoint devices in associated functioning units have been under the control of the attackers.
If we accept that Qihoo has correctly attributed this activity to Dark Hotel, and that Dark Hotel is a North Korean actor, this report presents a few interesting findings. First, it is surprisingly risky for a North Korean actor to target assets in an allied country, especially one that provides financial and other critical support. Second, Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government, so the PRC might be signalling its disapproval to the DPRK. Third, a combined approach that integrates server-side and client-side techniques, at the scale indicated by Qihoo, is a sign that the DPRK has improved its offensive asset management capabilities.