In a significant move today, the United States government filed charges against five individuals linked to a state-sponsored Chinese hacking group known as APT41, as well as two Malaysian hackers. This group is believed to have compromised over one hundred businesses globally, showcasing a sophisticated range of cyber-espionage and financially motivated attacks.
APT41, referred to by other aliases such as ‘Barium’, ‘Winnti’, ‘Wicked Panda’, and ‘Wicked Spider’, has been active since 2012. Their operations extend beyond the collection of strategic intelligence from various sectors, encompassing attacks specifically targeting the online gaming industry for financial gain. A press release issued by the U.S. Department of Justice details that among the charged individuals, Zhang Haoran and Tan Dailin were previously indicted in August 2019, while the remaining three, Jiang Lizhi, Qian Chuan, and Fu Qiang, alongside the two accomplices from Malaysia, were named in separate indictments from August 2020.
The three indicted Chinese hackers have ties to a network security company operating under the guise of Chengdu 404 Network Technology, which the People’s Republic of China allegedly runs as a front for its cyber operations. Court documents reveal longstanding collaborations between these individuals, with evidence pointing to their involvement in multiple internet and gaming firms.
The hacking methods employed by APT41 typically align with tactics outlined in the MITRE ATT&CK framework, particularly focusing on initial access techniques like software supply chain attacks. These methods allow hackers to inadvertently or deliberately introduce malicious software, often by distributing compromised digital signatures for legitimate applications. Such techniques enable them to infiltrate systems within targeted organizations efficiently and retrieve sensitive information.
Furthermore, the targeted sectors are extensive, including software development companies, telecommunications, social media platforms, video game enterprises, and even foreign government networks in countries like India and Vietnam. This highlights the expansive reach and audacity of the attackers, particularly their alarming intrusion attempts on pro-democracy activists in Hong Kong, raising concerns over geopolitical ramifications.
On the Malaysian side, Wong Ong Hua and Ling Yang Ching were apprehended on September 14, 2020, and are currently facing extradition to the United States. The FBI confirmed that the five Chinese nationals remain at large, underscoring the ongoing nature of the investigation.
Recent developments include the issuance of seizure warrants by the U.S. District Court aiming to disrupt the hackers’ infrastructure. This action led to the confiscation of numerous accounts, servers, and command-and-control domains that facilitated these cyber attacks. In a broader context, technology companies, including Microsoft, have also contributed significantly to limiting the defendants’ access to critical hacking resources and tools.
Zhang and Tan are specifically facing 25 counts related to computer fraud and money laundering, each potentially facing a sentence of up to 20 years in prison. Meanwhile, the charges against Jiang, Qian, and Fu include similar counts, with nine counts carrying the same severe penalties. The Malaysian hackers are charged with 23 related offenses, including domain name fraud, which could escalate their potential prison time.
This incident underscores the evolving threat landscape posed by state-sponsored hacking groups and the necessity for vigilance among organizations worldwide. Understanding the tactics employed, as outlined by the MITRE ATT&CK framework, provides essential insights into the persistent risks businesses face in an increasingly interconnected digital environment.
