US charges 5 Chinese “Apt41” actors for hacking into more than 100 companies

September 17, 2020

U.S. federal agencies revealed criminal charges against five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC). All were charged of computer intrusions affecting over 100 victim companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.

The intrusions, which security researchers have tracked using the threat labels “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider,” facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information, says the Department of Justice (DOJ). These intrusions also facilitated the defendants’ other criminal schemes, including ransomware and “crypto-jacking” schemes, the latter of which refers to the group’s unauthorized use of victim computers to “mine” cryptocurrency.

In August 2020, the same federal grand jury returned a third indictment charging two Malaysian businessmen who conspired with two of the Chinese hackers to profit from computer intrusions targeting the video game industry in the United States and abroad.

“These indictments indicate how malicious actors are diversifying their tactics to attain a broader range of outcomes. In particular, breaching gaming companies to steal in-game items and currency for real-world profit rather than stealing corporate data means security teams must be sure their efforts are well-distributed across both internal and external systems," says Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions. "The attackers were able to gain access to internal networks and likely moved laterally across the infrastructure to identify the most profitable items. Unauthorized access to the infrastructure often starts with a phishing attack. Threat actors will target particular employees and phish their credentials in order to get access to particular parts of the infrastructure. These days, phishing attacks primarily start outside of the traditional email channels. The primary channels are now SMS, social media platforms, third-party chat platforms, direct messages in gaming apps, and others that are primarily accessed on mobile devices.”

Zach Jones, Senior Director of Detection Research at WhiteHat Security, a San Jose, Calif.-based provider of application security, explains, “As highlighted in the recent report from the Atlantic Council, the techniques alleged to have been used by the defendants, supply chain attacks and use of publicly known exploits in commercial and open source software, continue to be popular and powerful attack vectors for threat actors, both large and small. This case, one of hundreds known publicly over the past two decades, highlights the continued need for increased focus on securing the software that our digital lives depend on. Organizations must increase their vigilance for vulnerabilities not only in their proprietary software but in the components they are composed of and the commercial software they operate to allow them to operate in the modern digital economy.”

In addition to arrest warrants for all of the charged defendants, in September 2020, the U.S. District Court for the District of Columbia issued seizure warrants that resulted in the recent seizure of hundreds of accounts, servers, domain names, and command-and-control (C2”) “dead drop” web pages used by the defendants to conduct their computer intrusion offenses. The FBI executed the warrants in coordination with other actions by several private-sector companies, which included disabling numerous accounts for violations of the companies’ terms of service. In addition, in partnership with the department, Microsoft developed and implemented technical measures to block this threat actor from accessing victims’ computer systems. The actions by Microsoft were a significant part of the overall effort to deny the defendants continued access to hacking infrastructure, tools, accounts, and command and control domain names, the DOJ notes. In coordination with this announcement, the FBI also released a Liaison Alert System (FLASH) report that contains critical, relevant technical information collected by the FBI for use by specific private-sector partners.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.