Prosecutors Says Members of APT41 Blended Espionage With Cybercrime
The suspects have been accused of numerous crimes, including stealing “over 67,000 photographs with filenames bearing peoples’ names” from a university in Taiwan. (Source: U.S. Justice Department)
Federal prosecutors on Wednesday unsealed indictments that charge five Chinese suspects – alleged members of the APT41 hacking group – with breaching more than 100 companies, government agencies and other organizations around the world.
The U.S. Department of Justice alleges the hackers conducted attacks to steal source code, software code-signing certificates, customer account data and valuable business information.
Arrest warrants have been issued for the five Chinese hackers, but they remain at large, likely in China, and thus are unlikely to face arrest, because the U.S. has no extradition treaty with China.
Tied to this investigation, police in Malaysia have arrested two citizens, based on an indictment filed in U.S. federal court charging them with conspiring with two of the Chinese hackers to obtain and sell in-game currency for video games.
Suspected APT41 Connection
The five Chinese suspects are allegedly part of the hacking group APT41 – also known as Barium, Winnti, Wicked Panda and Wicked Spider.
They have all been charged with computer intrusions affecting more than 100 companies in the United States and elsewhere. Victims include computer hardware and software companies, telecoms, social media firms, video game makers, nonprofits and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.
The five suspects – Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang – were charged in two separate indictments that were filed in August 2019 and August 2020, which were unsealed Wednesday.
Security researchers say the attack group is well known, including for disguising apparent nation-state operations as cybercrime. John Hultquist, senior director of analysis for that FireEye’s Mandiant Threat Intelligence team, says that over the past year, “APT41 has been the most prolific Chinese threat actor tracked” by his group.
“APT41 has been involved in several high-profile supply chain incidents, which often blended their criminal interest in video games with the espionage operations they were carrying out on behalf of the state,” he says. “For instance, they compromised video game distributors to proliferate malware which could then be used for follow-up operations.”
2020 Indictment Charges 5 Chinese Men
In the August 2020 indictment, Jiang, Qian and Fu were charged with nine counts of racketeering conspiracy, conspiracy to violate the Computer Fraud and Abuse Act, substantive violations of the CFAA, access device fraud, identity theft, aggravated identity theft and money laundering. All the charges pertain to the three defendants working for the Chinese firm Chengdu 404 Network Technology that was allegedly involved in a pattern of racketeering affecting more than 100 companies as well as government networks in India and Vietnam.
Each of the charges carry maximum sentences of between five and 20 years in prison.
“The defendants associated with Chengdu 404 employed sophisticated hacking techniques to gain and maintain access to victim computer networks,” the Justice Department says. “One example was the defendants’ use of supply chain attacks, in which the hackers compromised software providers and then modified the providers’ code to facilitate further intrusions against the software providers’ customers.”
The defendants allegedly used malicious websites and publicly available tools and exploited unpatched vulnerabilities, prosecutors say.
Experts say they are far from the only hacking group to use such tactics. On Tuesday, for example, the U.S. Cybersecurity and Infrastructure Security Agency warned that the Iranian-linked hacking group known as Pioneer Kitten was using similar methods to conduct attacks (see: Iranian Hackers Exploiting Unpatched Vulnerabilities).
2019 Indictment Charges 2 Malaysian Men
The August 2019 indictment charged Zhang and Tan with 25 counts of conspiracy, wire fraud, aggravated identity theft, money laundering and violations of the Computer Fraud and Abuse Act and for participating in computer hacking and video game conspiracies. The two men allegedly used spear-phishing emails with malicious attachments, along with supply chain attacks, to compromise software development companies and their third-party developers.
The individual charges each carry sentences of between five and 20 years.
Prosecutors say the video game conspiracy started in 2014, and saw Zhang and Tan attempting to make money by hacking into video game companies, obtaining and otherwise generating video game currency, and then selling it for a profit.
The two men allegedly also used their unauthorized access to the gaming companies to attack other groups, again for the purpose of stealing and selling video game currency.
A 23-count indictment accuses two Malaysian men – Wong Ong Hua and Ling Yang Ching – of conspiring with Zhang and Tan. The two Malaysian men allegedly operated an online platform called Sea Gamer Mall to sell digital goods and video game services, including in-game currency, according to the Justice Department. The men face numerous charges, including racketeering conspiracy, intentional damage to a protected computer and unauthorized access to a protected computer.
Prosecutors Move to Seize Property
In another move against APT41, the U.S. District Court for the District of Columbia earlier this month issued warrants that resulted in the seizure of hundreds of accounts, servers, domain names and command-and-control “dead drop” web pages used to conduct computer intrusion offenses, the Justice Department says.
Microsoft says it has implemented technical measures to block APT41 from accessing victims’ computer systems.