APT41 Operatives Indicted as Sophisticated Hacking Activity Continues

apt41 hackers indicted

Five alleged members of the China-linked advanced threat group and two associates have been indicted by a Federal grand jury, on dozens of charges.


Five alleged members of the APT41 threat group have been indicted by a federal grand jury, in two separate actions that were unsealed this week.

Meanwhile, the Department of Treasury also imposed sanctions on individuals and organizations associated with Iran-linked APT39.

APT41 (a.k.a. Barium, Winnti, Wicked Panda or Wicked Spider) is known for nation-state-backed cyber-espionage activity as well as financial cybercrime. The Department of Justice alleges that the group “facilitated the theft of source code, software code-signing certificates, customer-account data and valuable business information,” which in turn “facilitated other criminal schemes, including ransomware and cryptojacking.”

The five suspected perpetrators, all of whom are residents and nationals of the People’s Republic of China (PRC), are charged with hacking more than 100 victim companies in the United States and abroad, including software-development companies, computer-hardware manufacturers, telecom providers, social-media companies, video-game companies, nonprofit organizations, universities, think tanks and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.

According to John Hultquist, senior director of analysis at Mandiant Threat Intelligence, APT41 has been the most prolific Chinese threat actor tracked by the firm in the last year.

“This is a unique actor, who carries out global cyber-espionage while simultaneously pursuing a criminal venture,” he said via email. “Their activity traces back to 2012, when individual members of APT41 conducted primarily financially motivated operations focused on the video-game industry, before expanding into traditional espionage, most likely directed by the state. APT41’s ability to successfully blend their criminal and espionage operations is remarkable.”

Lately, APT41 has been involved in several high-profile supply chain incidents according to Mandiant, which often blended its criminal interest in video games with the espionage activity.

“For instance, they compromised video-game distributors to proliferate malware, which could then be used for follow-up operations,” he said. “They have also been connected to well-known incidents involving Netsarang and ASUS updates.”

In terms of targeted sectors, APT41 has been focused on telecom, travel and hospitality – likely because it has been looking to “identify, monitor and track individuals of interest, operations which could have serious, even physical consequences for some victims,” he added. “They have also participated in efforts to monitor Hong Kong during recent democracy protests.”

Intellectual property theft is on the menu too, Hultquist said, when it comes to medical institutions and medical technology, likely related to the COVID-19 pandemic.

“The scope and sophistication of the crimes in these unsealed indictments is unprecedented. The alleged criminal scheme used actors in China and Malaysia to illegally hack, intrude and steal information from victims worldwide,” said Michael Sherwin, acting U.S. attorney for the District of Columbia, in a DoJ statement this week. “As set forth in the charging documents, some of these criminal actors believed their association with the PRC provided them free license to hack and steal across the globe. This scheme also contained a new and troubling cybercriminal component – the targeting and utilization of gaming platforms to both defraud video game companies and launder illicit proceeds.”

Specific Charges

In terms of the specifics, an August 2019 indictment charged Zhang Haoran and Tan Dailin with 25 counts of conspiracy, wire fraud, aggravated identity theft, money laundering and violations of the Computer Fraud and Abuse Act (CFAA). The second indictment, from August of this year, charged Jiang Lizhi, Qian Chuan and Fu Qiang with nine counts of racketeering conspiracy, conspiracy to violate the CFAA, substantive violations of the CFAA, access device fraud, identity theft, aggravated identity theft and money laundering.

The second August 2020 indictment charged Wong Ong Hua and Ling Yang Ching. They were charged with 23 counts of racketeering, conspiracy, identity theft, aggravated identity theft, access device fraud, money laundering, violations of the CFAA and falsely registering domain names.  The indictment alleged that Wong and Ling worked with various hackers, including Zhang and Tan, to profit from the hackers’ criminal computer intrusions at video game companies.

All of them are still at large.

The same federal grand jury also returned a third indictment charging two APT41 associates: Both are Malaysian businessmen, who are accused of targeting the video-game industry and aiding APT41 in its efforts to monetize its activities. The duo was arrested on Monday in by Malaysian authorities in Sitiawan; they are now awaiting extradition.

The charges against all of the defendants carry maximum sentences that range between two and 20 years in prison.

Infrastructure Sinkholing

In tandem with the indictments, the U.S. District Court for the District of Columbia this month also paved the way for the seizure hundreds of accounts, servers, domain names and command-and-control (C2) servers used by the defendants to conduct their computer intrusion offenses. The FBI executed a series of warrants in coordination with the private sector, including Microsoft, to deny APT41 access to its hacking infrastructure, various accounts for services that it abuses, and C2 domains.

“The Department of Justice has used every tool available to disrupt the illegal computer intrusions and cyberattacks by these Chinese citizens,” said Deputy Attorney General Jeffrey Rosen. “Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China.”

APT39 Sanctions

As for APT39, the Treasury Department said on Thursday that masked behind its front company, Rana Intelligence Computing Co., the government of Iran used the advanced persistent threat group to carry out a years-long malware campaign that targeted Iranian dissidents, journalists and international companies in the travel sector.

Victims of APT39’s activity have been “subjected to arrest and physical and psychological intimidation” by Iran’s Ministry of Intelligence, according to a press release.

The department named 45 individuals in addition to Rana and APT39, and prohibits U.S. citizens or businesses to interact with them for any financial or commercial purpose.

“We believe the actor, who we have tracked for over five years, is enabling Iranian surveillance,” Mandiant’s Hultquist said. “The actor has focused heavily on the telecommunications and travel industries as part of an effort to collect customer data and personal information on targets of interest. These efforts could threaten the customers of victim organizations who may then be physically endangered by the Iranian security services.”

Lessons in Defense

APT41 and APT39 are just two of many advanced threat groups that target businesses and civil society on behalf of foreign governments – something that organizations need to be aware of, researchers told Threatpost.

“As highlighted in the recent report from the Atlantic Council, the techniques alleged to have been used by the defendants (supply-chain attacks and use of publicly known exploits in commercial and open-source software),continue to be popular and powerful attack vectors for threat actors, both large and small,” Zach Jones, senior director of detection research at WhiteHat Security, told Threatpost. “This case, one of hundreds known publicly over the past two decades, highlights the continued need for increased focus on securing the software that our digital lives depend on.”

To protect themselves, organizations first and foremost should patch vulnerabilities, in both commercial and proprietary software that may have been built on open code bases, he added.

Meanwhile, Hank Schless, senior manager of security solutions at Lookout, told Threatpost the indictments indicate how malicious actors are diversifying their tactics to achieve a broader range of outcomes – something that organizations should take note of.

“In particular, breaching gaming companies to steal in-game items and currency for real-world profit rather than stealing corporate data means security teams need to be sure their efforts are well-distributed across both internal and external systems,” he said – especially as more people are working from home. “The attackers were able to gain access to internal networks and likely moved laterally across the infrastructure to identify the most profitable items.”

Unauthorized access to the infrastructure often starts with a phishing attack, he warned.

“Threat actors will target particular employees and phish their credentials in order to get access to particular parts of the infrastructure,” he said. “These days, phishing attacks primarily start outside of the traditional email channels. The primary channels are now SMS, social media platforms, third-party chat platforms, direct messages in gaming apps, and others that are primarily accessed on mobile devices.”

The onslaught of sophisticated, high-end cyber-activity is unlikely to wane, even with high-profile indictments like this one, Mandiant’s Hultquist concluded.

“Intelligence services leverage criminals such as APT41 for their own ends because they are an expedient, cost-effective and deniable capability,” he said. “APT41’s criminal operations appear to predate the work they do on behalf of the state and they may have been co-opted by a security service who would have significant leverage over them. In situations such as this, a bargain can be reached between the security service and the operators wherein the operators enjoy protection in return for offering high-end talent to the service. Furthermore, the service enjoys a measure in deniability when the operators are identified. Arguably, that is the case right now.”

This post was updated at 4:45 p.m. ET to include information about sanctions on APT39.

Suggested articles