US government yesterday brought charges against five Chinese citizens who are suspected of being associated with the hack group APT41 (aka Winnti, Suckfly, Wicked Panda, Barium, etc.), which organized attacks on more than 100 companies around the world.
According to released court documents, the group hacked into software companies, computer hardware manufacturers, telecommunications service providers, social media companies, video game companies, healthcare organizations, non-profit organizations, educational institutions, think tanks, and so on. Hackers stole proprietary data from victims, including source codes, code signing certificates, customer data, and other valuable business information.
Winnti's victim companies were based in countries such as the United States, Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam. Also, the US authorities said that APT41 members hacked into computer networks of foreign governments in India and Vietnam and attacked pro-democracy politicians and activists in Hong Kong. In addition, attempts were made to attack the UK government, but they were unsuccessful.
Let me remind you that Winnti has been active since at least 2012. Although this was the first time ATP41 operations were detailed in FireEye report, published in August 2019, but then experts linked the group to major attacks on the supply chain, the earliest of which were committed back in 2012.
The group's key interests are espionage and financial gain. Over the entire period of activity of this group, its victims have been companies from the aerospace industry, energy, pharmaceutical, financial and telecommunications industries, and even the gaming industry. Still, most of the hacks were aimed at gaming companies, from which hackers stole the source code or in-game digital currencies.
The main arsenal of hackers is proprietary malware, and during campaigns Winnti uses sophisticated attack methods, including attacks on the supply chain and watering holes. In some cases, APT41 also used ransomware and miners, but it is not known how many such incidents there were. The US Department of Justice mentions only one victim of the extortion attack and writes that it was a kind of "non-profit organization dedicated to the fight against global poverty."
According to court documents, the first two APT41 members were identified and charged back in August 2019, shortly after the publication of the FireEye report. Copy indictment from 2019 states that the charges are related to attacks on IT and video games companies, as well as hacking of an unnamed citizen of the United Kingdom. The two suspects were identified as 35-year-old Zhang Haoran (张浩然) and 35-year-old Tang Dailin (谭 戴 林).
Three more members of the group were indicted a year later, in August 2020. Judging by documents, 35-year-old Jiang Lizhi (蒋 立志), 39-year-old Qian Chuan (钱 川) and 37-year-old Fu Qiang (付 强) are responsible for most of the APT41 attacks.
The US authorities are sure that these people are employees of the Chengdu 404 Network Technology front company, which operates under the control and orders of Chinese officials. For example, court documents contain logs of intercepted chats between Jiang Lizhi and other alleged hackers, where Jiang explicitly states that he is working under the direction of a senior official from the Chinese Ministry of Public Security.
All five members of APT41 remain at large, but now their names are included in the FBI's most wanted cybercriminals list.
The FBI, which led the investigation, says it received a court order earlier this month and seized "hundreds of accounts, servers, domain names, and dead drop C&C pages used by APT41 in past operations."
In addition, the US authorities have brought charges against two Malaysian businessmen, who are suspected of conspiring with Winnti participants in order to profit from attacks on game developers. The two were arrested on Monday 14 September 2020 in Malaysia. Currently, documents are being prepared for their extradition to the United States.
According to judicial papers, 46-year-old Wong Ong Hua and 32-year-old Ling Yang Ching owned Sea gamer mall – a site that sold digital currencies for various online games. According to law enforcement officials, sometimes the game currency was provided to businessmen by the members of APT41, and it was stolen from the game companies.