U.S. Charges Chinese Winnti Hackers for Attacking 100+ Companies

The U.S. Department of Justice announced today charges against five Chinese nationals fort cyberattacks on more than 100 companies, some of them being attributed to state-backed hacking group APT41.

APT41 is one of the oldest threat groups, known primarily for cyber-espionage operations against a variety of entities, including software developers, gaming companies, hardware manufacturers, think tanks, telcos, social, universities, or foreign governments.

Kaspersky has been tracking this group since 2012 as Winnti – the name Symantec gave the malware used in attacks. APT41 has been active for more than decade and is also known as Barium, WickedPanda/Spider.

Front security company

Two of the alleged APT41 members (Zhang Haoran and Tai Dailin) were charged  in August last year and were connected with the three indicted last month:

Jiang Lizhi (蒋立志), 35

Qian Chuan (钱川), 39

Fu Qiang (付强), 37

All five hackers are currently at large and are the newest addition to the Cyber’s Most Wanted list from the FBI.

Court documents describe the trio as experienced hackers that have been working together since at least 2013 and had previously collaborated with the other two defendants.

Also Read: 13 Special Skills To Become a Front End Developer Singapore

Since 2014, Jiang, Qian, and Fu carried out hacking activity that security researchers attribute to the APT41 threat group through a front company called Chengdu 404 Network Technology.

They stole source code, software code signing certificates, customer account data, personally identifiable information, and deployed sophisticated supply-chain attacks [CCleaner, ShadowPad, ShadowHammer], the indictment reveals.

Chengdu 404 promoted itself as a network security company of white-hat hackers with clients in the public security and military sector.

Its activity included defensive and counter-offensive network security services, forensics, penetration testing, and other security-related services.

If caught, the three hackers face a cumulated maximum sentence of more than 70 years of prison time, the DOJ states in a press release.

Hacking for self and country

According to the indictment, Chengdu 404 employees, including Jiang, Qian, and Fu, were also conducting criminal activity that targeted more than 100 companies around the world.

The three were involved in ransomware attacks against at least three entities in May 2020: a global non-governmental organization, a real estate company in the U.S., and an energy company in Taiwan.

Ransomware attacks, along with cryptojacking operations, would be deployed for personal financial benefit, which is in contrast with the interests of its customers (Chinese government agencies, including the Ministry of Public Security)

Cybersecurity companies following APT41 activity revealed that the group engages in both espionage and criminal activities. In a report in 2018, CrowdStrike highlights the double motivation of this threat actor saying that it “likely operates as an exploitation group for hire” and that it is “commonly associated with the interests of the government of the People’s Republic of China.”

“WICKED PANDA refers to the targeted intrusion operations of the actor publicly known as “Winnti,” whereas WICKED SPIDER represents this group’s financially-motivated criminal activity” – CrowdStrike

FireEye echoes this characteristic of APT41 in research published last year, noting that:

“Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward” – FireEye

Also Read: EU GDPR Articles: Key For Business Security And Success

APT41 uses both custom and open-source tools to compromised victims and move laterally on their network. The hackers also relied on exploiting severe vulnerabilities for initial access:

• CVE-2019-19781 leading to arbitrary remote code execution in Citrix Application Delivery Controller (NetScaler ADC) and the Citrix Gateway (NetScaler Gateway)
• CVE-2019-11510 in Pulse Secure VPN
• CVE-2019-16920 – unauthenticated remote code execution in multiple D-Link products
• CVE-2019-16278 – directory traversal leading to remote code execution in Nostromo web server (nhttpd)
• CVE-2019-1652/CVE-2019-1653 – command injection and information disclosure in Cisco RV320 and RV325 routers for small businesses
• CVE-2020-10189 – remote code execution vulnerability in Zoho ManageEngine Desktop Central

Apart from the APT41 hackers, the U.S. government also indicted two Malaysian businessmen (Wong Ong Hua and Ling Yang Ching ) for conspiring with two of the hackers to benefit from attacks against targets in the video gaming industry.

They were running a video gaming company called Sea Gamer Mall, which sold digital game-related goods (like currency) and services. For more than four years, the Sea Gamer platform was used to sell video game digital goods obtained through unauthorized access provided by APT41 hackers.

Both businessmen were arrested on September 14 in Malaysia.