The U.S. Department of Justice announced today charges against five Chinese nationals fort cyberattacks on more than 100 companies, some of them being attributed to state-backed hacking group APT41.
APT41 is one of the oldest threat groups, known primarily for cyber-espionage operations against a variety of entities, including software developers, gaming companies, hardware manufacturers, think tanks, telcos, social, universities, or foreign governments.
Kaspersky has been tracking this group since 2012 as Winnti – the name Symantec gave the malware used in attacks. APT41 has been active for more than a decade and is also known as Barium, Wicked Panda/Spider.
Front Security Company
Two of the alleged APT41 members (Zhang Haoran and Tai Dailin) were charged in August last year and were connected with the three indicted last month:
Jiang Lizhi, 35
Qian Chuan, 39
Fu Qiang, 37
All five hackers are currently at large and are the newest addition to the Cyber’s Most Wanted list from the FBI.
Court documents describe the trio as experienced hackers that have been working together since at least 2013 and had previously collaborated with the other two defendants.
Since 2014, Jiang, Qian, and Fu carried out hacking activity that security researchers attribute to the APT41 threat group through a front company called Chengdu 404 Network Technology.
They stole source code, software code signing certificates, customer account data, personally identifiable information, and deployed sophisticated supply-chain attacks [CCleaner, ShadowPad, ShadowHammer], the indictment reveals.
Chengdu 404 promoted itself as a network security company of white-hat hackers with clients in the public security and military sector.
Its activity included defensive and counter-offensive network security services, forensics, penetration testing, and other security-related services.
If caught, the three hackers face a cumulated maximum sentence of more than 70 years of prison time, the DOJ states in a press release.
Hacking for Self and Country
According to the indictment, Chengdu 404 employees, including Jiang, Qian, and Fu, were also conducting criminal activity that targeted more than 100 companies around the world.
The three were involved in ransomware attacks against at least three entities in May 2020: a global non-governmental organization, a real estate company in the U.S., and an energy company in Taiwan.
Ransomware attacks, along with cryptojacking operations, would be deployed for personal financial benefit, which is in contrast with the interests of its customers (Chinese government agencies, including the Ministry of Public Security)
Cybersecurity companies following APT41 activity revealed that the group engages in both espionage and criminal activities. In a report in 2018, CrowdStrike highlights the double motivation of this threat actor saying that it “likely operates as an exploitation group for hire” and that it is “commonly associated with the interests of the government of the People’s Republic of China.”
“WICKED PANDA refers to the targeted intrusion operations of the actor publicly known as “Winnti,” whereas WICKED SPIDER represents this group’s financially-motivated criminal activity” – CrowdStrike
FireEye echoes this characteristic of APT41 in research published last year, noting that:
“Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward” – FireEye
APT41 uses both custom and open-source tools to compromised victims and move laterally on their network. The hackers also relied on exploiting severe vulnerabilities for initial access:
- CVE-2019-19781 leading to arbitrary remote code execution in Citrix Application Delivery Controller (NetScaler ADC) and the Citrix Gateway (NetScaler Gateway)
- CVE-2019-11510 in Pulse Secure VPN
- CVE-2019-16920 – unauthenticated remote code execution in multiple D-Link products
- CVE-2019-16278 – directory traversal leading to remote code execution in Nostromo web server (nhttpd)
- CVE-2019-1652 / CVE-2019-1653 – command injection and information disclosure in Cisco RV320 and RV325 routers for small businesses
- CVE-2020-10189 – remote code execution vulnerability in Zoho ManageEngine Desktop Central
Apart from the APT41 hackers, the U.S. government also indicted two Malaysian businessmen (Wong Ong Hua and Ling Yang Ching ) for conspiring with two of the hackers to benefit from attacks against targets in the video gaming industry.
They were running a video gaming company called Sea Gamer Mall, which sold digital game-related goods (like currency) and services. For more than four years, the Sea Gamer platform was used to sell video game digital goods obtained through unauthorized access provided by APT41 hackers.
Both businessmen were arrested on September 14 in Malaysia.