Researchers from cybersecurity firm Recorded Future’s Insikt Group have discovered six procurement documents from official People’s Liberation Army (PLA) military websites and other sources that demonstrate that PLA Unit 61419 has sought to purchase antivirus solutions from several major American, European, and Russian security companies.
According to the experts, the purchases were made in early 2019 through local intermediaries, the threat actors were interested in English versions of AV solutions from major security firms, including Kaspersky, Bitdefender, Trend Micro, ESET, Dr.Web, Sophos, Symantec, McAfee, and Avira.
In order to avoid raising suspicion, the purchases were for small batches varying from 10 to 20 workstation licenses.
Experts speculate the cyberspies have purchased the security software to study them and find zero-day vulnerabilities that could be exploited in an attack or to test the detection of new malware.
The experts pointed out that China has demonstrated a pattern of software supply chain exploitation in its cyberespionage campaigns, and in some cases, threat actors were able to exploit foreign antivirus software purchased in 2019 as attack vectors.
“Insikt Group assesses that the purchase of foreign antivirus software by the PLA poses a high risk to the global antivirus software supply chain.” reads the post published by “Based on patterns of past campaigns and tactics, two scenarios are most likely for the PLA’s exploitation of foreign antivirus software:
Scenario 1: PLA cyber units and affiliated hacking groups will use foreign antivirus programs as a testing environment for natively developed malware. They will run the malware through foreign antivirus products to test its ability to evade detection, thereby making it more likely to successfully infect its targeted victims.
Scenario 2: PLA cyber units and affiliated hacking groups will reverse engineer the foreign antivirus software code to find previously undisclosed vulnerabilities. They will then use the newly discovered vulnerabilities in a zero-day attack for initial intrusion.”
Below the list of products purchased by Chinese cyberspies.
|Date of Procurement Order||Product Name||Subscription Length||Number of Users||Country of Supplier|
|January 2019||Kaspersky Security Cloud Family||1 year||20 user terminals||Russia|
|January 2019||Kaspersky Security Cloud Personal||1 year||10 user terminals||Russia|
|January 2019||Kaspersky Endpoint Security for Business Select||1 year||10 user terminals||Russia|
|January 2019||Kaspersky Endpoint Security Cloud Plus||1 year||10 user terminals||Russia|
|January 2019||Avira Prime||1 year||10 user terminals||Germany|
|April-May 2019||Kaspersky Endpoint Security for Business ADVANCED||2 years||30 user terminals||Russia|
|April-May 2019||McAfee Total Protection||2 years||30 user terminals||US|
|April-May 2019||Dr. Web Enterprise Security Suite||2 years||30 user terminals||Russia|
|April-May 2019||Nod32 ESET Multi-Device Security||2 years||10 user terminals||Slovakia|
|April-May 2019||Norton Security Premium||2 years||10 user terminals||US|
|April-May 2019||Symantec Endpoint Protection Subscription||2 years||10 user terminals||US|
|November 2019||Trend Micro Worry-Free Services Advanced||2 years||10 user terminals||US-Japan|
|November 2019||Sophos Intercept X||2 years||10 user terminals||UK|
|November 2019||BitDefender Total Security||2 years||10 user terminals||Romania|
Table 1: Antivirus security software included in the procurement documents discovered by Insikt Group
(SecurityAffairs – hacking, PLA Unit 61419)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.