Report: APT20, a Chinese government-linked hacking group, has bypassed key fob-enabled 2FA in recent attacks on government organs and managed service providers. ( Catalin Cimpanu / ZDNet)

The APT20 hacker group is one of the largest threat actors targeting U.S. organizations and governments. As revealed in June 2017 by the U.S. government, the APT20 group has been actively attacking networks since 2012 and is closely linked to the Chinese military. It’s believed that the hackers act on behalf of the People’s Liberation Army, a statement later confirmed by the United States Department of Defense. The hackers have been credited with several high-profile cyberattacks, including hacks against a Ukrainian power grid operator, a Saudi Aramco oil field, and a dam in South Korea. The U.S. government has also named APT20 as being behind the theft of intellectual property related to the development of the WannaCry ransomware attack that spread around the globe last spring.

What is APT20, a Chinese government-linked hacking group?  

APT20 is a top threat group targeting the U.S. government and defense contractors. In May 2016, Symantec identified a new cyber espionage operation, “Grizzly Steppe,” because it focused on targeting the American government and military organizations. Based in China, Grizzly Steppe is suspected to be an extension of APT20. It used spear phishing attacks against defense contractors to compromise their networks. Grizzly Steppe’s targets included government agencies such as the U.S. Air Force, the Navy, and the U.S. Army. It also targeted technology contractors. The U.S. Department of Homeland Security has attributed many cyberattacks on the U.S. and Western governments to the APT20 group.

Why has APT20, a Chinese government-linked hacking group, bypassed key fob-enabled 2FA?  

Bypassing key fobs is a common thing among cyber criminals. But why would the Chinese government-linked hacking group, APT20, bother? The group targets U.S. individuals who are likely connected to high-level government and military officials. A key fob, a combination of hardware and software, allows users to enter or exit their houses. It can be attached to a smartphone, allowing users to access their home remotely using a PIN. And many people rely heavily on it when they’re away from home. APT20 stole the device-based authentication codes used by people who relied on their key fobs. To do so, the hackers were able to hack into the U.S.

How does 2FA attack government organs and managed service providers?  

There are two forms of 2FA attacks, which we’ll call classic and lateral. Classic 2FA attacks are initiated by a phishing attack specifically aimed at an individual account holder or company and require a password reset email to be sent to the target. In this case, the attacker sends a password reset email to the user’s email address with the same password used in the original account, hoping the user will click the link provided and enter their new password. If they do, the attacker will have access to the target account. Lateral 2FA attacks are initiated by a phishing attack against a large group of people within the same organization, such as a company’s human resources department or


In conclusion, we’ve seen how a malicious actor is known as APT20 targets organizations that have been targeted in the past. To protect against these types of threats, companies should implement multi-factor authentication and take other necessary steps to strengthen their security posture. This report provides a case study of one threat and details several technical controls to secure system access.


1. What is 2FA? 

Two Factor Authentication (2FA) is an authentication process that requires two steps to access a resource. For example, if you want to log into a website, you will be prompted for a username and password. The second step is typically something that is either sent to your mobile device or generated by a time-based one-time password (OTP).

2. Why would an organization use 2FA? 

Organizations use 2FA to protect their data from being accessed by unauthorized users.

3. How can an attacker get around 2FA? 

An attacker can use social engineering to trick users into providing their password or OTP.

4. What does this mean for the average consumer? 

As a consumer, you should ensure that 2FA protects your account credentials.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button