Chinese PLA Unit 61419 suspected to have purchased AVs for cyber-espionage

Chinese military unit PLA Unit 61419 is suspected to be involved in cyber-espionage campaigns against multiple antivirus companies.

Researchers from cybersecurity firm Recorded Future’s Insikt Group have discovered six procurement documents from official People’s Liberation Army (PLA) military websites and other sources that demonstrate that PLA Unit 61419 has sought to purchase antivirus solutions from several major American, European, and Russian security companies. 

According to the experts, the purchases were made in early 2019 through local intermediaries, the threat actors were interested in English versions of AV solutions from major security firms, including Kaspersky, Bitdefender, Trend Micro, ESET, Dr.Web, Sophos, Symantec, McAfee, and Avira.

In order to avoid raising suspicion, the purchases were for small batches varying from 10 to 20 workstation licenses.

Experts speculate the cyberspies have purchased the security software to study them and find zero-day vulnerabilities that could be exploited in an attack or to test the detection of new malware.

The experts pointed out that China has demonstrated a pattern of software supply chain exploitation in its cyberespionage campaigns, and in some cases, threat actors were able to exploit foreign antivirus software purchased in 2019 as attack vectors.

In the summer of 2019, a China-linked APT called Tick Group exploited two zero-days impacting Trend Micro’s Apex One and OfficeScan XG enterprise security products. 

“Insikt Group assesses that the purchase of foreign antivirus software by the PLA poses a high risk to the global antivirus software supply chain.” reads the post published by  “Based on patterns of past campaigns and tactics, two scenarios are most likely for the PLA’s exploitation of foreign antivirus software:

Scenario 1: PLA cyber units and affiliated hacking groups will use foreign antivirus programs as a testing environment for natively developed malware. They will run the malware through foreign antivirus products to test its ability to evade detection, thereby making it more likely to successfully infect its targeted victims.

Scenario 2: PLA cyber units and affiliated hacking groups will reverse engineer the foreign antivirus software code to find previously undisclosed vulnerabilities. They will then use the newly discovered vulnerabilities in a zero-day attack for initial intrusion.”

Below the list of products purchased by Chinese cyberspies.

Date of Procurement OrderProduct NameSubscription LengthNumber of UsersCountry of SupplierJanuary 2019Kaspersky Security Cloud Family1 year20 user terminalsRussiaJanuary 2019Kaspersky Security Cloud Personal1 year10 user terminalsRussiaJanuary 2019Kaspersky Endpoint Security for Business Select1 year10 user terminalsRussiaJanuary 2019Kaspersky Endpoint Security Cloud Plus1 year10 user terminalsRussiaJanuary 2019Avira Prime1 year10 user terminalsGermanyApril-May 2019Kaspersky Endpoint Security for Business ADVANCED2 years30 user terminalsRussiaApril-May 2019McAfee Total Protection2 years30 user terminalsUSApril-May 2019Dr. Web Enterprise Security Suite2 years30 user terminalsRussiaApril-May 2019Nod32 ESET Multi-Device Security2 years10 user terminalsSlovakiaApril-May 2019Norton Security Premium2 years10 user terminalsUSApril-May 2019Symantec Endpoint Protection Subscription2 years10 user terminalsUSNovember 2019Trend Micro Worry-Free Services Advanced2 years10 user terminalsUS-JapanNovember 2019Sophos Intercept X2 years10 user terminalsUKNovember 2019BitDefender Total Security2 years10 user terminalsRomaniaTable 1: Antivirus security software included in the procurement documents discovered by Insikt Group

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

The post Chinese PLA Unit 61419 suspected to have purchased AVs for cyber-espionage appeared first on Security Affairs.