Chinese hackers are relying on legitimate VPN services to mask illegal activities, and for the first time, a diplomatic organization in the European Union is among their targets.
These findings come from the latest ESET report on APT (Advanced Persistent Threat) groups' activities between April and September 2024.
All the best VPN apps encrypt internet connections to prevent third-party access while spoofing users' real IP addresses for maximum online anonymity. But what if those who use these services are professional government-backed hackers?
SoftEther VPN: hackers' tool of choice
"One trend that we noticed among several China-aligned threat actors is the use of SoftEther VPN instead of their usual implants or backdoors," Mathieu Tartare, senior malware researcher at ESET, told Cyberscoop.
SoftEther VPN is an open-source virtual private network (VPN) software that can use HTTPS connections to establish a VPN tunnel. This allows its users to bypass a company's firewall, for instance, while blending into legitimate traffic.
Experts observed the Webworm APT group, a cyberespionage group linked to China, switching from full-featured backdoors (such as the Trochilus RAT) to the SoftEther VPN Bridge on compromised machines of several governmental organizations in the EU.
"Such a VPN bridge allows the attacker to establish direct communication between the attacker-controlled infrastructure and the victim’s local network, bypassing port filtering and accessing resources that might be blocked on the external router or firewall of the targeted organization," noted researchers.
#ESETresearch released its latest APT Activity Report covering April to September 2024 (Q2 2024–Q3 2024). This period saw 🇨🇳 China-aligned APT groups increasingly relying on VPN platforms – specifically the open-source SoftEther VPN – to maintain access to victims’ networks. 1/2 pic.twitter.com/HazCFT55UsNovember 7, 2024
Webworm wasn't the only group regularly deploying SoftEther VPN, either. GALLIUM, Flax Typhoon, and MirrorFace all have been using the VPN service during the research period with the latter making regular use of it since the end of 2023.
For the very first time, the MirrorFace group also expanded its target list outside Japan, including an EU diplomatic organization alongside its usual targets.
Researchers did not name the compromised organization. Yet, the attack still appears to be linked with Japanese affairs as hackers sent the victim a phishing email about the 2025 World EXPO exhibition, which is set to be held in Osaka.
Talking to Cyberscoop, Tartare said organizations should consider any SoftEther VPN executables deployed on the network as suspicious and block them if they aren't needed. You should be especially wary of those SoftEther VPN executables that do not have the right filename, he added.
For more tips and tools on how to secure your organizations, I recommend checking our dedicated pages of the best business VPNs and endpoint protection software currently on the market.
