Seven charged in connection with Chinese state-backed cyber attacks

The US Department of Justice (DoJ) has charged five Chinese and two Malaysian nationals in connection with cyber attacks that targeted more than 100 organisations around the world.

Two indictments were returned by a federal grand jury in Washington DC in August 2019 and August 2020, charging five members of the APT41 advanced persistent threat (APT) group – also known as Barium, Winnti, Wicked Panda and Wicked Spider – with facilitating the theft of source code, software signing certificates, customer data and other business information.

The attacks targeted software developers and computer hardware manufacturers, telcos, social media platforms, video game companies, non-profits, universities, think-tanks and government agencies, as well as members of Hong Kong’s pro-democracy movement. UK government agencies are understood to have been targeted – but not successfully compromised – during the campaign.

The DoJ said APT41’s intrusions also facilitated other criminal schemes, including deploying ransomware against their targets, and illicit cryptomining activities. The charges against them include conspiracy, wire fraud, aggravated identity theft, money laundering and violations of the Computer Fraud and Abuse Act (CFAA).

“The Department of Justice has used every tool available to disrupt the illegal computer intrusions and cyber attacks by these Chinese citizens,” said deputy attorney general Jeffrey Rosen. “Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cyber criminals so long as they attack computers outside China and steal intellectual property helpful to China.”

The conspirators allegedly employed “sophisticated hacking techniques” to gain access to their targets, including supply chain attacks that compromised software suppliers and tweaked their code to facilitate intrusions into their customers, as well as command and control (C2) “dead drops”, apparently legitimate web pages created by the hackers but that were actually surreptitiously encoded instructions to their malware.

They also took advantage of several disclosed common vulnerabilities and exposures (CVEs), including the infamous CVE-2019-19781 Citrix vulnerability.

A third indictment charges two Malaysian businessmen with conspiring with two of the APT41 hackers to profit from intrusions targeting the video game industry. They were arrested by the Malaysian authorities on Monday 14 September and are awaiting extradition. The remaining five defendants, one of whom is said to have boasted about his ties to the Chinese government, are at large in China.

“Today’s announcement demonstrates the ramifications faced by the hackers in China, but it is also a reminder to those who continue to deploy malicious cyber tactics that we will utilise every tool we have to administer justice,” said FBI deputy director David Bowdich.

“The arrests in Malaysia are a direct result of partnership, cooperation and collaboration. As the cyber threat continues to evolve larger than any one agency can address, the FBI remains committed to being an indispensable partner to our federal, international and private-sector partners to stop rampant cyber crime and hold those carrying out these kind of actions accountable.”

John Hultquist, senior director of threat intelligence at Mandiant, who has been tracking APT41 for some time, said the group was easily the most active Chinese threat actor, noted for its simultaneous pursuit of state-approved cyber espionage activity alongside criminal ventures.

“Their activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into traditional espionage, most likely directed by the state,” he said. “APT41’s ability to successfully blend their criminal and espionage operations is remarkable.

“APT41 has been involved in several high-profile supply chain incidents which often blended their criminal interest in video games with the espionage operations they were carrying out on behalf of the state. For instance, they compromised video game distributors to proliferate malware which could then be used for follow-up operations. They have also been connected to well-known incidents involving Netsarang and ASUS updates.”

Hultquist added: “In recent years, they have focused heavily on the telecommunications, travel and hospitality sectors, which we believe are attempts to identify, monitor and track individuals of interest, operations which could have serious, even physical consequences for some victims. They have also participated in efforts to monitor Hong Kong during recent democracy protests.”

Mandiant believes the Chinese intelligence services are inclined to use APT41 for their own ends because they are “expedient, cost-effective and deniable”. Since its criminal operations seem to predate its espionage operations, it is possible that the group is being manipulated by a security service that has some form of leverage over it.

Cybereason’s Sam Curry said it was unlikely that any of the indicted individuals would ever face justice, at least not in the US.

“The Chinese are a cyber superpower and they are responsible for billions of dollars in IP theft annually from thousands of companies,” he said. “Companies and government agencies need to take today’s indictments seriously and heed the warning. It is imperative that they invest in improving their network defences against these types of blatant and egregious espionage-related activities.

“It is critical for all companies to invest in threat-hunting services that are deployed around the clock, like security guards are to protect physical property. Today’s well-trained cyber security guards have the skills to spot malicious computer network activity that put an end to massive amounts of IP theft and loss.”

Curry added that even though malicious cyber activities linked to the Chinese government are an open secret, China’s leadership will disclaim all knowledge and deny everything, making this something of a “a she said, Xi said moment” in accountability terms.