Hacker group with members from Europe, North America found to have launched cyberattacks against China

Chinese cybersecurity experts have exposed a hacker group, with its core members coming from Europe and North America, which has been launching sustained cyberattacks against China as its primary target, posing a serious threat to the country’s cybersecurity and data security, the Global Times learned from a Beijing-based cybersecurity lab on Sunday.

In a report the Global Times obtained from Qi An Pangu lab, it revealed the hacking group, named Against The West (ATW), has claimed to have disclosed sensitive information including source code and database of important information systems related to China about more than 70 times since 2021, involving some 300 information systems of more than 100 important government agencies as well as aviation and infrastructure departments.

In particular, since 2022, ATW has intensified its momentum and continued to carry out large-scale scanning detection and “supply chain” attacks on Chinese networks, the report shows.

Through long-term tracking, cybersecurity experts from Qi An Pangu lab found that the active members of ATW are mainly engaged in programming and network engineer-related occupations and they are mainly located in Switzerland, France, Poland, Canada and other countries.

This is the second time that the lab revealed the true face of a hacker organization that has been carrying out data theft and network attacks on China, following the exposure of the complete technical detailsof Equation, an elite hacking group affiliated with the NSA, in February 2022. Equation was found to have been creating an advanced and covert backdoor, which has been used to monitor 45 countries and regions for over a decade.

According to the report, the ATW group was established in June 2021 and became active in online forums in October that year. Since its establishment, ATW has expressed a clear anti-China bias. It publicly stated that it would “publish posts about data leakage in China, North Korea and other countries.” It also published a special post entitled “ATW-War against China,” which explicitly supported “Taiwan independence,” advocated “Hong Kong independence” and hyped up “human rights issues” in China’s Xinjiang region.

Since October 2021, the organization has been active across overseas social media platforms, displaying a clear pro-US and pro-West slant. ATW has published several statements claiming that the organization’s targets are Russia, Belarus, China, Iran and North Korea and it is willing to share files with the US and the EU or hired by their related agencies.

According to incomplete statistics, since 2021, ATW has disclosed important information system source code, database and other sensitive information more than 70 times. The organization claimed that the data came from more than 100 Chinese departments, involving government agencies and state-owned enterprises.

For example, on January 7, 2022, ATW claimed to sell “a large amount of government, NGO, institutional and corporate data in China, involving 102 Chinese entities.”

However, experts from the lab found that the so-called source code is the test data or project code files developed by small and medium-sized software development enterprises. Experts also found that, in order to gain attention, ATW tends to distort and exaggerate its attacks.

The lab team identified six active members from the ATW, with three of them from France and one from Canada. One of the members Tillie Kottmann, born in Switzerland, was charged by the US Department of Justice in March 2021, but the case was abruptly suspended at the end of March. Since then, China has been one of Kottmann’s main targets, according to the lab report.

The organization mainly carried out large-scale scanning and attacks against technical vulnerabilities on SonarQube, Gogs, Gitblit and other open-source network systems. They would then steal related source code and data, which can be used to further exploit and penetrate the network information system.

"This is a typical ‘supply chain' attack," a senior cybersecurity expert from the lab told the Global Times on Sunday.

He suggested that software development enterprises should immediately repair software vulnerabilities, strictly control public network access permissions, and make timely modifications to default access passwords, and further improve the security management ability of source code.

As for the leakage of the system source code deployed in the user unit, the expert suggested that software development enterprises should strengthen the security audit of the system source code and encrypt and store the source code and data of important information systems.

"Cybersecurity-related government departments and technical teams should strengthen the monitoring of illegal cyberattack activities of the ATW organization, warn the trend of attack, and carry out background tracing and other countermeasures," the expert said.