PLA Unit has an interest in anti-virus products.
Recorded Future's Insikt Group has found procurement documents indicating that the PLA Unit has sought to purchase foreign antivirus programs. The Insikt Group thinks it likely that the intention is to use them for exploitation, either to use them as test environments for PLA-developed attack tools or to identify vulnerabilities that could be exploited for initial intrusion in zero-day attacks.
The tools for which PLA Unit 61419 sought subscriptions included some well-known names: Kaspersky Security Cloud Family, Kaspersky Security Cloud Personal, Kaspersky Endpoint Security for Business Select, Kaspersky Endpoint Security Cloud Plus, Avira Prime, Kaspersky Endpoint Security for Business ADVANCED, McAfee Total Protection, Dr. Web Enterprise Security Suite, Nod32 ESET Multi-Device Security, Norton Security Premium, Symantec Endpoint Protection Subscription, Trend Micro Worry-Free Services Advanced, Sophos Intercept X, and Bitdefender Total Security.
Using these anti-virus tools for test and development strikes the Insikt Group as a likely harbinger of supply chain attacks. “Given the pattern of Chinese state-sponsored exploitation of the global software supply chain described above,” their report says in its conclusion, “as well as China’s exclusion of foreign antivirus software as an option for government organizations, the brands and products indicated [above] should be monitored for future exploitation. Focus should be placed on adversarial simulations, penetration testing, patching known vulnerabilities, and monitoring for anomalous traffic related to these antivirus products.”
Last month Japanese authorities attributed a long-running cyberespionage campaign to Peoples Liberation Army Unit 61419. As the Japan Times and other outlets reported at the time, Japanese security services concluded that the “Tick” APT, which had been conducting cyberespionage against about two-hundred organizations, prominently including the Japan Aerospace Exploration Agency, was being run by China’s Peoples Liberation Army. Kyodo News characterized the unit as a “counterintelligence” outfit (although it actually appears to be a SIGINT unit) and said that a Chinese engineer and Communist Party member had been referred for prosecution.