U.S. charges Chinese Winnti hackers for attacking 100+ companies (APT41)

Posted by & filed under Security News.

The U.S. Department of Justice announced today charges against five Chinese nationals fort cyberattacks on more than 100 companies, some of them being attributed to state-backed hacking group APT41.

APT41 is one of the oldest threat groups, known primarily for cyber-espionage operations against a variety of entities, including software developers, gaming companies, hardware manufacturers, think tanks, telcos, social, universities, or foreign governments.

Kaspersky has been tracking this group since 2012 as Winnti – the name Symantec gave the malware used in attacks. APT41 has been active for more than a decade and is also known as Barium, Wicked Panda/Spider.

Front Security Company

Two of the alleged APT41 members (Zhang Haoran and Tai Dailin) were charged  in August last year and were connected with the three indicted last month:

Jiang Lizhi, 35

Qian Chuan, 39

Fu Qiang, 37

All five hackers are currently at large and are the newest addition to the Cyber’s Most Wanted list from the FBI.

Court documents describe the trio as experienced hackers that have been working together since at least 2013 and had previously collaborated with the other two defendants.

Since 2014, Jiang, Qian, and Fu carried out hacking activity that security researchers attribute to the APT41 threat group through a front company called Chengdu 404 Network Technology.

They stole source code, software code signing certificates, customer account data, personally identifiable information, and deployed sophisticated supply-chain attacks [CCleaner, ShadowPad, ShadowHammer], the indictment reveals.

Chengdu 404 promoted itself as a network security company of white-hat hackers with clients in the public security and military sector.

Its activity included defensive and counter-offensive network security services, forensics, penetration testing, and other security-related services.

If caught, the three hackers face a cumulated maximum sentence of more than 70 years of prison time, the DOJ states in a press release.

Hacking for Self and Country

According to the indictment, Chengdu 404 employees, including Jiang, Qian, and Fu, were also conducting criminal activity that targeted more than 100 companies around the world.

The three were involved in ransomware attacks against at least three entities in May 2020: a global non-governmental organization, a real estate company in the U.S., and an energy company in Taiwan.

Ransomware attacks, along with cryptojacking operations, would be deployed for personal financial benefit, which is in contrast with the interests of its customers (Chinese government agencies, including the Ministry of Public Security)

Cybersecurity companies following APT41 activity revealed that the group engages in both espionage and criminal activities. In a report in 2018, CrowdStrike highlights the double motivation of this threat actor saying that it “likely operates as an exploitation group for hire” and that it is “commonly associated with the interests of the government of the People’s Republic of China.”

“WICKED PANDA refers to the targeted intrusion operations of the actor publicly known as “Winnti,” whereas WICKED SPIDER represents this group’s financially-motivated criminal activity” – CrowdStrike

FireEye echoes this characteristic of APT41 in research published last year, noting that:

“Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward” – FireEye

APT41 uses both custom and open-source tools to compromised victims and move laterally on their network. The hackers also relied on exploiting severe vulnerabilities for initial access:

  • CVE-2019-19781 leading to arbitrary remote code execution in Citrix Application Delivery Controller (NetScaler ADC) and the Citrix Gateway (NetScaler Gateway)
  • CVE-2019-11510 in Pulse Secure VPN
  • CVE-2019-16920 – unauthenticated remote code execution in multiple D-Link products
  • CVE-2019-16278 – directory traversal leading to remote code execution in Nostromo web server (nhttpd)
  • CVE-2019-1652 / CVE-2019-1653 – command injection and information disclosure in Cisco RV320 and RV325 routers for small businesses
  • CVE-2020-10189 – remote code execution vulnerability in Zoho ManageEngine Desktop Central

Apart from the APT41 hackers, the U.S. government also indicted two Malaysian businessmen (Wong Ong Hua and Ling Yang Ching ) for conspiring with two of the hackers to benefit from attacks against targets in the video gaming industry.

They were running a video gaming company called Sea Gamer Mall, which sold digital game-related goods (like currency) and services. For more than four years, the Sea Gamer platform was used to sell video game digital goods obtained through unauthorized access provided by APT41 hackers.

Both businessmen were arrested on September 14 in Malaysia.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.