Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:15 PM
Connect Directly

Indictments Unlikely to Deter China's APT41 Activity

So far, at least, the threat group has not let public scrutiny slow it down, security researchers say.

Security researchers hold little hope that indictments unsealed this week against five members of the China-based APT41 threat group will deter it from acting with the same impunity it has for the past several years.

The US Department of Justice on Wednesday unsealed two indictments — one from August 2019 and the other from August 2020 — charging five members of APT41 with computer intrusions, including ransomware attacks and cryptojacking schemes at over 100 companies in the US and abroad.

Related Content:

Cyber Theft, Humint Helped China Cut Corners on Passenger Jet

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: h2c Smuggling: A New 'Devastating' Kind of HTTP Request Smuggling

The five individuals are accused of targeting telecommunications firms, software development companies, computer hardware manufacturers, video game companies, and others in attacks aimed at stealing source code, trade secrets, customer data, code-signing certificates, and other information.

Three of the defendants are accused of operating a China-based company named Chengdu 404 Network Technology, which they allegedly used as a front for carrying out attacks globally. In some instances, individuals working for the company broke into systems belonging to software providers and used them to distribute malware and facilitate more attacks.

Two of the indicted individuals from APT41 are also accused of collaborating with two businessmen in Malaysia in a campaign to defraud video game companies. The individuals are alleged to have broken into widely used gaming platforms and stolen or generated video game currency and other items of digital value.

Both of the Malaysian nationals — identified as Wong Ong Hua, 46, and Ling Yang Ching, 32 — were arrested this month and could be extradited to the US to stand trial. The two are accused of operating a company called Sea Gamer Mall as a front for carrying out attacks on video game companies. Meanwhile, the five individuals from APT41 — which is also tracked as "Winnti," "Wicked Panda," "Barium," and "Wicked Spider" — remain at large in China. The DoJ identified them as Tan Dailin, 35; Zhang Haoran, 35; Qian Chuan, 39; Jiang Lizhi, 35; and Fu Qiang, 37.

All seven defendants face a slew of criminal charges that could fetch them between five and 20 years in US prison if convicted on all charges.

Remote Likelihood
The likelihood of that happening, however, remains remote, at least for the China-based members of APT41.  

"As long as the alleged members of the Winnti group don't leave China, they don't risk anything," says Mathieu Tartare, malware researcher at ESET, which has tracked APT41's activities closely. "So we don't think [the indictments are] likely to slow the group down."  

Brandon Hoffman, CISO at Netenrich, says while the handing down of indictments against alleged cybercriminals in other countries is significant, the real impact is dependent on other factors.  

"Many of these countries have not categorized this activity as actually illegal, so even if there were some extradition agreement, it's not illegal there," he says. "The only reason we have seen this be effective is when the criminal travels to a place where the US has an agreement or authority. Almost without fail, these criminals take a vacation somewhere and get caught on holiday.” 

Security researchers consider APT41, aka Winnti, to be a particularly active threat group that in recent years has carried out a broad range of attacks using a portfolio of custom and legitimate tools. The group is widely believed to be working on behalf of China's intelligence services on at least some of its campaigns. There is some uncertainty over whether Winnti/APT41 is the umbrella term for a collection of smaller groups, or if it is just one large group of threat actors.

FireEye, which released a comprehensive report on the group's activities last year, has described it as an operation with a dual mission: to conduct espionage on behalf of the Chinese government and to carry out financially motivated attacks that potentially are not state-backed. FireEye's theory, in fact, is that a sort of quid-pro-quo arrangement exists between the Chinese government and APT41, where the former has been willing to turn a blind eye to the latter's criminal activities in exchange for APT41 carrying out cyber-espionage activity. FireEye has noted the arrangement has given Beijing an opportunity to carry out large-scale cyber espionage with plausibility deniability.

Beijing Backed
In announcing the indictments this week, US authorities publicly called out the same connection: "Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China."

The US government has been increasingly vocal in calling out China for allegedly sponsoring a wide range of espionage activity in support of long-term economic goals. The DoJ has handed down indictments against multiple China-based individuals recently, including two in July for allegedly trying to steal intellectual property related to COVID-19 research.

According to FireEye, APT41 has been the most active advanced persistent threat actor it has tracked so far this year. Steven Stone, director of advanced practices at FireEye, says his company has observed three consistent trends with APT41. The first is that the group appears largely unaffected by the public scrutiny of its activities.

"FireEye, along with multiple other vendors, has reported extensively on this group with no observed shift in their activity," Stone says. "We do know APT41 is aware of this public reporting, as FireEye has observed them reading multiple public pieces we have published on their activity."

The other consistent pattern with the group has been its activity across a wide range of industries and regions. Its victims have included organizations ranging from government organizations to gaming companies across 100 countries, including the US, Australia, Brazil, India, Japan, and Malaysia.

"This makes it challenging to observe a shift as they have been active at a wide range of targets almost from their beginning," Stone says.

The third aspect about APT41's activities has been the manner in which it has carried out attacks. APT41 has over the years tended to stick with a mostly consistent set of tactics, techniques, and procedures (TTPs) in its attacks. The threat actor has been using a mix of publicly available tools, established custom tools, and net new custom tools. 

"Put simply, APT41 is consistent in [its] blended, evolving approach to intrusions and adapts their TTPs as needed for success," Stone says.

According to Tartare, the most recent APT41 activity that ESET tracked was at the end of August and early September. 

"We've seen the Winnti Group targeting the Taiwanese academic and education sectors, an e-commerce platform in Asia, and the video game industry," he says.

Over the past few months, Tartare says ESET has observed APT41 actors relying more on a backdoor called CROSSWALK in its attacks, but it has continued to use its other malware tools as well.

"The group frequently makes use of new malware adapted to the situation, but we haven't seen [it] using new flagship malware," he says.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-06
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
PUBLISHED: 2020-12-06
sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\...
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.