Security researchers hold little hope that indictments unsealed this week against five members of the China-based APT41 threat group will deter it from acting with the same impunity it has for the past several years.
The US Department of Justice on Wednesday unsealed two indictments — one from August 2019 and the other from August 2020 — charging five members of APT41 with computer intrusions, including ransomware attacks and cryptojacking schemes at over 100 companies in the US and abroad.
The five individuals are accused of targeting telecommunications firms, software development companies, computer hardware manufacturers, video game companies, and others in attacks aimed at stealing source code, trade secrets, customer data, code-signing certificates, and other information.
Three of the defendants are accused of operating a China-based company named Chengdu 404 Network Technology, which they allegedly used as a front for carrying out attacks globally. In some instances, individuals working for the company broke into systems belonging to software providers and used them to distribute malware and facilitate more attacks.
Two of the indicted individuals from APT41 are also accused of collaborating with two businessmen in Malaysia in a campaign to defraud video game companies. The individuals are alleged to have broken into widely used gaming platforms and stolen or generated video game currency and other items of digital value.
Both of the Malaysian nationals — identified as Wong Ong Hua, 46, and Ling Yang Ching, 32 — were arrested this month and could be extradited to the US to stand trial. The two are accused of operating a company called Sea Gamer Mall as a front for carrying out attacks on video game companies. Meanwhile, the five individuals from APT41 — which is also tracked as "Winnti," "Wicked Panda," "Barium," and "Wicked Spider" — remain at large in China. The DoJ identified them as Tan Dailin, 35; Zhang Haoran, 35; Qian Chuan, 39; Jiang Lizhi, 35; and Fu Qiang, 37.
All seven defendants face a slew of criminal charges that could fetch them between five and 20 years in US prison if convicted on all charges.
The likelihood of that happening, however, remains remote, at least for the China-based members of APT41.
"As long as the alleged members of the Winnti group don't leave China, they don't risk anything," says Mathieu Tartare, malware researcher at ESET, which has tracked APT41's activities closely. "So we don't think [the indictments are] likely to slow the group down."
Brandon Hoffman, CISO at Netenrich, says while the handing down of indictments against alleged cybercriminals in other countries is significant, the real impact is dependent on other factors.
"Many of these countries have not categorized this activity as actually illegal, so even if there were some extradition agreement, it's not illegal there," he says. "The only reason we have seen this be effective is when the criminal travels to a place where the US has an agreement or authority. Almost without fail, these criminals take a vacation somewhere and get caught on holiday.”
Security researchers consider APT41, aka Winnti, to be a particularly active threat group that in recent years has carried out a broad range of attacks using a portfolio of custom and legitimate tools. The group is widely believed to be working on behalf of China's intelligence services on at least some of its campaigns. There is some uncertainty over whether Winnti/APT41 is the umbrella term for a collection of smaller groups, or if it is just one large group of threat actors.
FireEye, which released a comprehensive report on the group's activities last year, has described it as an operation with a dual mission: to conduct espionage on behalf of the Chinese government and to carry out financially motivated attacks that potentially are not state-backed. FireEye's theory, in fact, is that a sort of quid-pro-quo arrangement exists between the Chinese government and APT41, where the former has been willing to turn a blind eye to the latter's criminal activities in exchange for APT41 carrying out cyber-espionage activity. FireEye has noted the arrangement has given Beijing an opportunity to carry out large-scale cyber espionage with plausibility deniability.
In announcing the indictments this week, US authorities publicly called out the same connection: "Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China."
The US government has been increasingly vocal in calling out China for allegedly sponsoring a wide range of espionage activity in support of long-term economic goals. The DoJ has handed down indictments against multiple China-based individuals recently, including two in July for allegedly trying to steal intellectual property related to COVID-19 research.
According to FireEye, APT41 has been the most active advanced persistent threat actor it has tracked so far this year. Steven Stone, director of advanced practices at FireEye, says his company has observed three consistent trends with APT41. The first is that the group appears largely unaffected by the public scrutiny of its activities.
"FireEye, along with multiple other vendors, has reported extensively on this group with no observed shift in their activity," Stone says. "We do know APT41 is aware of this public reporting, as FireEye has observed them reading multiple public pieces we have published on their activity."
The other consistent pattern with the group has been its activity across a wide range of industries and regions. Its victims have included organizations ranging from government organizations to gaming companies across 100 countries, including the US, Australia, Brazil, India, Japan, and Malaysia.
"This makes it challenging to observe a shift as they have been active at a wide range of targets almost from their beginning," Stone says.
The third aspect about APT41's activities has been the manner in which it has carried out attacks. APT41 has over the years tended to stick with a mostly consistent set of tactics, techniques, and procedures (TTPs) in its attacks. The threat actor has been using a mix of publicly available tools, established custom tools, and net new custom tools.
"Put simply, APT41 is consistent in [its] blended, evolving approach to intrusions and adapts their TTPs as needed for success," Stone says.
According to Tartare, the most recent APT41 activity that ESET tracked was at the end of August and early September.
"We've seen the Winnti Group targeting the Taiwanese academic and education sectors, an e-commerce platform in Asia, and the video game industry," he says.
Over the past few months, Tartare says ESET has observed APT41 actors relying more on a backdoor called CROSSWALK in its attacks, but it has continued to use its other malware tools as well.
"The group frequently makes use of new malware adapted to the situation, but we haven't seen [it] using new flagship malware," he says.