The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability

In a report published today (, Qihoo 360 made it public that it detected an APT attack that delivers malicious files through hijacked security services of a domestic VPN provider. They have reported the vulnerability details to the service provider and received confirmation. Further reversing shows that the attack can be attributed to the Darkhotel (APT-C-06), an APT gang in the Korean Peninsula. Since March this year, more than 200 VPN servers have been compromised and many Chinese institutions abroad were under attack. In early April, the attack spread to government agencies in Beijing and Shanghai.

The monitoring and analysis also suggest that a large number of VPN servers and endpoint devices in associated functioning units have been under the control of the attackers.

Richard Bejtlich , Principal Security Strategist,  Corelight
April 08, 2020
Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government.
If we accept that Qihoo has correctly attributed this activity to Dark Hotel, and that Dark Hotel is a North Korean actor, this report presents a few interesting findings. First, it is surprisingly risky for a North Korean actor to target assets in an allied country, especially one that provides financial and other critical support. Second, Qihoo would not be able to publish and maintain its findi ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments

In this article