Chinese PLA Unit 61419 suspected to have purchased AVs for cyber-espionage

Chinese military unit PLA Unit 61419 is suspected to be involved in cyber-espionage campaigns against multiple antivirus companies.

Researchers from cybersecurity firm Recorded Future’s Insikt Group have discovered six procurement documents from official People’s Liberation Army (PLA) military websites and other sources that demonstrate that PLA Unit 61419 has sought to purchase antivirus solutions from several major American, European, and Russian security companies. 

According to the experts, the purchases were made in early 2019 through local intermediaries, the threat actors were interested in English versions of AV solutions from major security firms, including Kaspersky, Bitdefender, Trend Micro, ESET, Dr.Web, Sophos, Symantec, McAfee, and Avira.

PLA Unit 61419 AV purchases

In order to avoid raising suspicion, the purchases were for small batches varying from 10 to 20 workstation licenses.

Experts speculate the cyberspies have purchased the security software to study them and find zero-day vulnerabilities that could be exploited in an attack or to test the detection of new malware.

The experts pointed out that China has demonstrated a pattern of software supply chain exploitation in its cyberespionage campaigns, and in some cases, threat actors were able to exploit foreign antivirus software purchased in 2019 as attack vectors.

In the summer of 2019, a China-linked APT called Tick Group exploited two zero-days impacting Trend Micro’s Apex One and OfficeScan XG enterprise security products. 

“Insikt Group assesses that the purchase of foreign antivirus software by the PLA poses a high risk to the global antivirus software supply chain.” reads the post published by  “Based on patterns of past campaigns and tactics, two scenarios are most likely for the PLA’s exploitation of foreign antivirus software:

Scenario 1: PLA cyber units and affiliated hacking groups will use foreign antivirus programs as a testing environment for natively developed malware. They will run the malware through foreign antivirus products to test its ability to evade detection, thereby making it more likely to successfully infect its targeted victims.

Scenario 2: PLA cyber units and affiliated hacking groups will reverse engineer the foreign antivirus software code to find previously undisclosed vulnerabilities. They will then use the newly discovered vulnerabilities in a zero-day attack for initial intrusion.”

Below the list of products purchased by Chinese cyberspies.

Date of Procurement Order Product Name Subscription Length Number of Users Country of Supplier
January 2019 Kaspersky Security Cloud Family 1 year 20 user terminals Russia
January 2019 Kaspersky Security Cloud Personal 1 year 10 user terminals Russia
January 2019 Kaspersky Endpoint Security for Business Select 1 year 10 user terminals Russia
January 2019 Kaspersky Endpoint Security Cloud Plus 1 year 10 user terminals Russia
January 2019 Avira Prime 1 year 10 user terminals Germany
April-May 2019 Kaspersky Endpoint Security for Business ADVANCED 2 years 30 user terminals Russia
April-May 2019 McAfee Total Protection 2 years 30 user terminals US
April-May 2019 Dr. Web Enterprise Security Suite 2 years 30 user terminals Russia
April-May 2019 Nod32 ESET Multi-Device Security 2 years 10 user terminals Slovakia
April-May 2019 Norton Security Premium 2 years 10 user terminals US
April-May 2019 Symantec Endpoint Protection Subscription 2 years 10 user terminals US
November 2019 Trend Micro Worry-Free Services Advanced 2 years 10 user terminals US-Japan
November 2019 Sophos Intercept X 2 years 10 user terminals UK
November 2019 BitDefender Total Security 2 years 10 user terminals Romania

Table 1: Antivirus security software included in the procurement documents discovered by Insikt Group

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

The post Chinese PLA Unit 61419 suspected to have purchased AVs for cyber-espionage appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source