DarkHotel Hackers Exploits VPN Zero-day to Breach Chinese Government Agencies

DarkHotel Hackers Exploits VPN Zero-day to Breach Chinese Government Agencies

At the beginning of the year 2020, COVID-19 quickly spread globally and hit all human beings hardly. According to The New York Times, as of 20:41 on April 6, there are more than 1.3 million confirmed COVID-19 cases, with a total of more than 73,000 deaths.

A growing number of businesses, including government agencies, are working remotely to keep social distancing. A VPN is helpful in telecommuting. It establishes an encrypted tunnel to keep users safe from cyber threats. During quarantine, VPN services play an indispensable role in the telecommuting of enterprises and government agencies.

However, security researchers still have concerns over the security of remote working because the vulnerability of VPN can be exploited by hackers to compromise VPN servers. Once the VPN server is compromised by the hacker, users who connect to this VPN sever are in danger.

Qihoo 360 detected the intrusion

Recently, Qihoo 360 reported that APT organization Darkhotel hijacked Sangfor VPN servers to distribute malicious files. This attack targeted China’s overseas agencies and relevant government units. So far, a large number of VPN users have been compromised. 

Who were the targets?

As the global epidemic spreads, many companies and even diploma missions and government agencies are adopting telecommuting. VPN uses among employees are on the surge. Darkhotel then used the VPN vulnerability to launch an attack and compromise a large number of terminal devices.

Since March, more than 200 VPN servers have been infected. Targets of this attack include Chinese government agencies in Beijing and Shanghai, and diploma missions in Afghanistan, closely, Ethiopia, India, Indonesia, Iran, Israel, Italy, Kyrgyzstan, Malaysia, North Korea, Pakistan, Saudi Arabia, Thailand, Turkey, UAE, United Kingdom and Vietnam.

What is Darkhotel?

Darkhotel is an APT that has long been targeting corporate executives, government agencies, defense industry, electronics industry and other important institutions to carry out cyber espionage attacks in China, North Korea, Japan, Myanmar, Russia and other countries since 2007. It is believed to originate from the Korean peninsula.  

This is not the first time the Darkhotel group has attacked China. Previously, 360 security brain had discovered that APT Darkhotel exploited the “double star” zero-day vulnerability to launch attacks on Chinese government agencies related to commerce and trade during the shutdown of Win 7.

How did they perform the attack?

The vulnerability exploited in this attack exists in the update that is automatically triggered when a VPN client initiates a connection to the server. When the VPN client establishes a connection with the VPN server, it will automatically check for updates. If so, it will be updated before connecting to the server. The client gets the update data from the configuration file at the fixed location on the VPN server to which it is connected and downloads a program called SangforUD.exe. Because the mechanism of detecting updates is relatively simple, it is used by Darkhotel hackers to replace the original update program with a Trojan program. As a result, many devices that run older versions of Sangfor VPN were attacked. Hackers targeted certain Sangfor VPN users to distribute the backdoor Trojan.

What did Sangfor do?

Sangfor immediately released a patch for the SSL VPN servers (run firmware versions M6.3R1 and M6.1) that have been confirmed to be under attack. Subsequently, Sangfor carried out a comprehensive security risk screening and released patches for all SSL VPN servers. After users install repair patches to upgrade SSL VPN products, they can automatically update and restore tampered clients to prevent malicious attacks. In addition, it also released a script tool to detect whether the SSL VPN server was altered. For users who are concerned about the VPN server being maliciously accessed, they can use the script tool for self-detection. If it is confirmed to suffer from malicious file infection, you can download a malicious file kill tool. Sangfor also promised to send security experts for online remote assistance or on-site repair assistance if its users encounter any problem.

Why did Darkhotel launch the attack?

According to the report, there are several possible reasons.

By breaching VPN servers to compromise Chinese government agencies and diploma missions, Darkhotel might be trying to get the advanced medical technology and epidemic rescue measures during the prevention and control of the epidemic.

It aimed to explore the real medical data of the epidemic in countries around the world by keeping an eye on Chinese overseas missions.

Darkhotel attacked China’s overseas missions to master the transportation track, quantity and equipment of China’s delivery of epidemic relief materials to the rest of the world.

It might also be to grasp the political, economic and trade data to have a good command of the relationship of each country and China. So, they can find a way to achieve the country’s economic recovery after the coronavirus outbreak. 


Aside from making use of a VPN, RitaVPN strongly recommends you set strong passwords for your accounts and change them regularly. Besides, you should raise your awareness of security.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like