Chinese PLA Unit 61419 suspected to have purchased AVs for cyber-espionage

Chinese military unit PLA Unit 61419 is suspected to be involved in cyber-espionage campaigns against multiple antivirus companies.

Researchers from cybersecurity firm Recorded Future’s Insikt Group have discovered six procurement documents from official People’s Liberation Army (PLA) military websites and other sources that demonstrate that PLA Unit 61419 has sought to purchase antivirus solutions from several major American, European, and Russian security companies. 

According to the experts, the purchases were made in early 2019 through local intermediaries, the threat actors were interested in English versions of AV solutions from major security firms, including Kaspersky, Bitdefender, Trend Micro, ESET, Dr.Web, Sophos, Symantec, McAfee, and Avira.

In order to avoid raising suspicion, the purchases were for small batches varying from 10 to 20 workstation licenses.

Experts speculate the cyberspies have purchased the security software to study them and find zero-day vulnerabilities that could be exploited in an attack or to test the detection of new malware.

The experts pointed out that China has demonstrated a pattern of software supply chain exploitation in its cyberespionage campaigns, and in some cases, threat actors were able to exploit foreign antivirus software purchased in 2019 as attack vectors.

In the summer of 2019, a China-linked APT called Tick Group exploited two zero-days impacting Trend Micro’s Apex One and OfficeScan XG enterprise security products. 

“Insikt Group assesses that the purchase of foreign antivirus software by the PLA poses a high risk to the global antivirus software supply chain.” reads the post published by  “Based on patterns of past campaigns and tactics, two scenarios are most likely for the PLA’s exploitation of foreign antivirus software:

Scenario 1: PLA cyber units and affiliated hacking groups will use foreign antivirus programs as a testing environment for natively developed malware. They will run the malware through foreign antivirus products to test its ability to evade detection, thereby making it more likely to successfully infect its targeted victims.

Scenario 2: PLA cyber units and affiliated hacking groups will reverse engineer the foreign antivirus software code to find previously undisclosed vulnerabilities. They will then use the newly discovered vulnerabilities in a zero-day attack for initial intrusion.”

Below the list of products purchased by Chinese cyberspies.

Date of Procurement Order	Product Name	Subscription Length	Number of Users	Country of Supplier
January 2019	Kaspersky Security Cloud Family	1 year	20 user terminals	Russia
January 2019	Kaspersky Security Cloud Personal	1 year	10 user terminals	Russia
January 2019	Kaspersky Endpoint Security for Business Select	1 year	10 user terminals	Russia
January 2019	Kaspersky Endpoint Security Cloud Plus	1 year	10 user terminals	Russia
January 2019	Avira Prime	1 year	10 user terminals	Germany
April-May 2019	Kaspersky Endpoint Security for Business ADVANCED	2 years	30 user terminals	Russia
April-May 2019	McAfee Total Protection	2 years	30 user terminals	US
April-May 2019	Dr. Web Enterprise Security Suite	2 years	30 user terminals	Russia
April-May 2019	Nod32 ESET Multi-Device Security	2 years	10 user terminals	Slovakia
April-May 2019	Norton Security Premium	2 years	10 user terminals	US
April-May 2019	Symantec Endpoint Protection Subscription	2 years	10 user terminals	US
November 2019	Trend Micro Worry-Free Services Advanced	2 years	10 user terminals	US-Japan
November 2019	Sophos Intercept X	2 years	10 user terminals	UK
November 2019	BitDefender Total Security	2 years	10 user terminals	Romania

Table 1: Antivirus security software included in the procurement documents discovered by Insikt Group

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

The post Chinese PLA Unit 61419 suspected to have purchased AVs for cyber-espionage appeared first on Security Affairs.