|Category: Adversary Intelligence||Industry: Communications||Country: China||Source*: A1|
- CloudSEK’s contextual AI digital risk platform XVigil has been actively tracking the activities of the threat actor group named AgainstTheWest also operating under the alias of BlueHornet or APT49.
- The group has been targeting Chinese entities in their ongoing campaign titled Operation China / Operation Renminbi.
- As their latest activity, the group has breached 2.05 billion records from the Chinese messaging and video sharing apps, such as WeChat and TikTok.
- The leaked data contained user and payment information.
- Both the breached entities used Alibaba Cloud instance to store their backend source code and the same was compromised by the group.
- The Alibaba Cloud instance used by the compromised entities had a weak password and served as the initial access point to the group.
- After gaining access to the Cloud storage instance, the group proceeded to provide live updates on Twitter.
- The samples from data files attributed to TikTok, confirm that the following information was obtained:
- User information
- Paypal ID
- Private IP Addresses
- Email addresses
- Transaction recipient’s name
- 11 hours after gaining access, 1.37 billion entries had been pulled by the group.
- Additionally, access to an Oracle server containing 34GB of logs was obtained by the group.
- The group mentioned that they would not be selling the breached data as the entries contain information of both underage and older people.
- WeChat’s database was found within the same database as that of TikTok.
- There was no previous indication that both TikTok and WeChat were sharing user information between themselves.
- It should be noted that WeChat is a government-owned messaging application and TikTok claims to not share any user information with their government.
- At the time of writing this Intelligence report, TikTok has not acknowledged the breach.
|Threat Actor Profiling|
|Active since||October 2021|
|Reputation||High (No complaints and credible reputation)|
|History||Involved in targeting China and Russia to conduct breaches and sell documents/databases for financial gain.|
|Rating||A1 (A: Reliable; 1: Confirmed by Independent Sources)|
- #Traffic Light Protocol
- *Intelligence Source & Information Reliability
- Twitter Thread - Troy Hunt
- Profile of Threat Actor ‘AgainstTheWest’