Security researchers said that they have noted a recent rise in the intensity and number of attacks launched by Chinese hackers targeting South Korean entities ever since the country announced it would deploy the Terminal High Altitude Area Defense (Thaad) missile system, aimed at defending itself from a missile threat from its rival North Korea.
China has previously denied retaliating against Seoul over the issue. However, two cyberespionage groups linked to Beijing's military and intelligence agencies have recently launched a series of attacks against the South Korean government and defence companies, FireEye director of cyberespionage analysis John Hultquist told the Wall Street Journal.
China opposes Thaad, claiming that its radar system can reach deep within its own territory, posing a security threat. However, the US and South Korea maintain that Thaad will only be used for defence.
Tonto Team and APT10
According to FireEye, which counts some South Korean firms as clients, one of the two hacker groups dubbed Tonto Team is based out of the northeastern Chinese city of Shenyang, which is an area where North Korean hackers are also known to be active. Hultquist added that the Tonto Team also has ties to the Chinese military. FireEye researchers said that the other cyberespionage group, known as APT10, may be linked to one of Beijing's military or intelligence agencies.
According to Hultquist, Tonto Team and APT10 hackers gained access to their targets' systems by deploying emails with malicious attachments or links to compromised websites and tricking people to click on them. Such spear-phishing attacks have become popular among cyberespionage groups in the recent past.
Spear-phishing the tool of choice
FireEyes analysis appears to be backed up by yet another cybersecurity firm, Russia's Kaspersky Lab, which also said that it has noted a resurgent wave of attacks against South Korean targets. Kaspersky Lab researchers said that the malicious software used in these attacks appeared to have been developed by Chinese speakers in the beginning of February.
Park Seong-su, senior global researcher for Kaspersky said that the hackers used spear-phishing techniques, deploying malware-laced emails that contained documents relating to national security, aerospace and other such topics. Kaspersky, however, refrained from attributing the attacks and said that it could not confirm if the attacks were related to Thaad.
Hacktivists join the cause
According to Hultquist, Chinese hacktivists with names like the "Panda Intelligence Bureau" and the "Denounce Lotte Group," have also joined forces with the two hacker groups. However, these hacktivists are working independently of the Chinese government, Hultquist added.
In March, South Korea's Ministry of Foreign Affairs said that a DDoS attack that originated from China, crippled its website. A spokesman for the Ministry said that "prompt defensive measures" were taken to ensure that the attacks weren't effective, adding that it was maintaining an "emergency service system" to repel Chinese hackers.
South Korea's Lotte Group also recently came under attack from Chinese hackers after the firm approved a Thaad-related land swap deal. Lotte's duty-free website was shut down by a DDoS attack. A spokesperson for the group said that its Chinese website had been compromised by a malware in February.
China's Ministry of Foreign Affairs is yet to comment on the matter.
According to recent cybersecurity reports, APT10 has been accused of launching a spate of attacks across the globe. One of those reports, jointly published by PricewaterhouseCoopers LLP and British weapons maker BAE Systems, said that Chinese hackers have evolved and are using more sophisticated techniques, such as customised malware, when launching attacks.
According to FireEye researchers, the recent scrutiny may prompt APT 10 to lay low. However, in the long run "we believe they will return to their large-scale operations, potentially employing new tactics, techniques and procedures", FireEye added.