Jump to content

Double Dragon (hacking group): Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m cat
use better link
 
(23 intermediate revisions by 15 users not shown)
Line 1: Line 1:
{{Short description|Hacking organization with ties to China's Ministry of State Security}}
{{Short description|Hacking organization}}
{{Use mdy dates|date=November 2024}}
== Origin ==
'''Double Dragon'''{{efn|Other names include APT41, BARIUM, Axiom, Winnti, Wicked Panda, Wicked Spider,<ref name=":3" /> TG-2633, Bronze Atlas, Red Kelpie, Blackfly,<ref name=":8">{{Cite web |title=APT 41 Threat Group Cards: A Threat Actor Encyclopedia |url=https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=APT%2041 |access-date=2021-05-29 |website=apt.thaicert.or.th |archive-date=2021-06-02 |archive-url=https://web.archive.org/web/20210602212324/https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=APT%2041 |url-status=live }}</ref> or Brass Typhoon<ref name="ms-threat-actors-24">{{cite web |title=How Microsoft names threat actors |url=https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming |publisher=Microsoft |access-date=January 21, 2024}}</ref>}} is a [[hacker group]] with alleged ties to the Chinese [[Ministry of State Security (China)|Ministry of State Security]] (MSS).<ref>{{Cite news |last=Volz |first=Dustin |date=March 8, 2022 |title=U.S. State Governments Hit in Chinese Hacking Spree |language=en-US |work=[[The Wall Street Journal]] |url=https://www.wsj.com/articles/u-s-state-governments-hit-in-chinese-hacking-spree-11646751601 |access-date=2022-03-10 |issn=0099-9660 |archive-date=2022-03-10 |archive-url=https://web.archive.org/web/20220310032016/https://www.wsj.com/articles/u-s-state-governments-hit-in-chinese-hacking-spree-11646751601 |url-status=live }}</ref> Classified as an [[advanced persistent threat]], the organization was named by the [[United States Department of Justice]] in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.<ref>{{Cite web |last=Cimpanu |first=Catalin |title=US charges five hackers from Chinese state-sponsored group APT41 |url=https://www.zdnet.com/article/us-charges-five-hackers-part-of-chinese-state-sponsored-group-apt41/ |access-date=2020-09-17 |website=ZDNet |language=en |archive-date=2020-09-16 |archive-url=https://web.archive.org/web/20200916152001/https://www.zdnet.com/article/us-charges-five-hackers-part-of-chinese-state-sponsored-group-apt41/ |url-status=live }}</ref><ref>{{Cite web |title=FBI Deputy Director David Bowdich's Remarks at Press Conference on China-Related Cyber Indictments |url=https://www.fbi.gov/news/pressrel/press-releases/fbi-deputy-director-david-bowdichs-remarks-at-press-conference-on-china-related-cyber-indictments |access-date=2020-09-17 |website=Federal Bureau of Investigation |language=en-us |archive-date=2020-09-17 |archive-url=https://web.archive.org/web/20200917195826/https://www.fbi.gov/news/pressrel/press-releases/fbi-deputy-director-david-bowdichs-remarks-at-press-conference-on-china-related-cyber-indictments |url-status=live }}</ref><ref>{{Cite web |last=Rodzi |first=Nadirah H. |date=September 17, 2020 |title=Malaysian digital game firm's top execs facing extradition after US accuses them of cyber crimes |url=https://www.straitstimes.com/asia/se-asia/perak-based-sea-gamer-malls-top-personnel-facing-extradition-after-us-department-of |access-date=2020-09-17 |website=The Straits Times |language=en |archive-date=2020-09-18 |archive-url=https://web.archive.org/web/20200918092947/https://www.straitstimes.com/asia/se-asia/perak-based-sea-gamer-malls-top-personnel-facing-extradition-after-us-department-of |url-status=live }}</ref><ref>{{Cite web |last=Yong |first=Charissa |date=September 16, 2020 |title=China acting as a safe haven for its cyber criminals, says US |url=https://www.straitstimes.com/world/united-states/us-charges-7-in-wide-ranging-chinese-hacking-effort |access-date=2020-09-17 |website=The Straits Times |language=en |archive-date=2020-09-17 |archive-url=https://web.archive.org/web/20200917033204/http://www.straitstimes.com/world/united-states/us-charges-7-in-wide-ranging-chinese-hacking-effort |url-status=live }}</ref>

In 2019, the cybersecurity company [[Trellix|FireEye]] stated with high confidence that the group was sponsored by the [[Chinese Communist Party]] (CCP) while conducting operations for financial gain.<ref name=":0">{{cite report |url=https://content.fireeye.com/apt-41/rpt-apt41/ |title=APT41: A Dual Espionage and Cyber Crime Operation |date=August 7, 2019 |publisher=FireEye |author-link=FireEye |access-date=2020-04-20 |archive-date=2021-05-07 |archive-url=https://web.archive.org/web/20210507025313/https://content.fireeye.com/apt-41/rpt-apt41/ |url-status=dead }}</ref> The name "Double Dragon" originates from the duality of their operation, as they engage in espionage and individual financial gain.<ref>{{Cite web |title=[Video] State of the Hack: APT41 Double Dragon: The Spy Who Fragged Me |url=https://content.fireeye.com/apt-41/video-state-of-the-hack-apt41 |access-date=2021-05-29 |website=FireEye |language=en |archive-date=2021-06-02 |archive-url=https://web.archive.org/web/20210602212300/https://content.fireeye.com/apt-41/video-state-of-the-hack-apt41 |url-status=live }}</ref> The devices they use are usually used for state-sponsored intelligence.

Investigations conducted by FireEye have found APT 41 operations in multiple sectors, such as healthcare, telecommunications, and technology.<ref name=":0" /> The group conducts many of its financial activities in the video game industry, including development studios, distributors, and publishers.<ref name=":2">{{Citation |last1=Kendzierskyj |first1=Stefan |title=Critical National Infrastructure, C4ISR and Cyber Weapons in the Digital Age |date=2020 |url=http://dx.doi.org/10.1007/978-3-030-35746-7_1 |pages=3–21 |access-date=2021-05-25 |series=Advanced Sciences and Technologies for Security Applications |place=Cham |publisher=Springer International Publishing |doi=10.1007/978-3-030-35746-7_1 |isbn=978-3-030-35745-0 |s2cid=216513092 |last2=Jahankhani |first2=Hamid}}</ref>

{{Infobox organization
{{Infobox organization
| name = Double Dragon
| name = Double Dragon
Line 6: Line 12:
| image =
| image =
| alt =
| alt =
| formation = [[2012]]
| formation = 2012
| type = [[Advanced persistent threat]]
| type = [[Advanced persistent threat]]
| purpose = [[Cyberespionage]], [[cyberwarfare]], [[Cybercrime]]
| purpose = [[Cyberespionage]], [[cyberwarfare]], [[Cybercrime]]
| motto =
| motto =
| headquarters =
| headquarters =
| region = [[China]]
| region = China
| methods = [[spearphishing]], [[malware]], [[supply chain attack]]
| methods = [[spearphishing]], [[malware]], [[supply chain attack]]
| membership =
| membership =
Line 23: Line 29:
| remarks =
| remarks =
}}
}}

'''Double Dragon''' (also known as '''APT41, Barium, Winnti, Wicked Panda, Wicked Spider,'''<ref name=":3" /> '''TG-2633, Bronze Atlas, Red Kelpie, Blackfly''')<ref name=":8">{{Cite web|title=APT 41 - Threat Group Cards: A Threat Actor Encyclopedia|url=https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=APT%2041|access-date=2021-05-29|website=apt.thaicert.or.th}}</ref> is a [[Hacker|hacking]] organization with alleged ties to the Chinese [[Ministry of State Security (China)|Ministry of State Security]] (MSS).<ref>{{Cite news |last=Volz |first=Dustin |date=2022-03-08 |title=U.S. State Governments Hit in Chinese Hacking Spree |language=en-US |work=[[The Wall Street Journal]] |url=https://www.wsj.com/articles/u-s-state-governments-hit-in-chinese-hacking-spree-11646751601 |access-date=2022-03-10 |issn=0099-9660}}</ref> Classified as an [[advanced persistent threat]], the organization was named by the [[United States Department of Justice]] in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.<ref>{{Cite web|last=Cimpanu|first=Catalin|title=US charges five hackers from Chinese state-sponsored group APT41|url=https://www.zdnet.com/article/us-charges-five-hackers-part-of-chinese-state-sponsored-group-apt41/|access-date=2020-09-17|website=ZDNet|language=en}}</ref><ref>{{Cite web|title=FBI Deputy Director David Bowdich's Remarks at Press Conference on China-Related Cyber Indictments|url=https://www.fbi.gov/news/pressrel/press-releases/fbi-deputy-director-david-bowdichs-remarks-at-press-conference-on-china-related-cyber-indictments|access-date=2020-09-17|website=Federal Bureau of Investigation|language=en-us}}</ref><ref>{{Cite web|last=Rodzi |first=Nadirah H. |date=2020-09-17|title=Malaysian digital game firm's top execs facing extradition after US accuses them of cyber crimes|url=https://www.straitstimes.com/asia/se-asia/perak-based-sea-gamer-malls-top-personnel-facing-extradition-after-us-department-of|access-date=2020-09-17|website=The Straits Times|language=en}}</ref><ref>{{Cite web|first=Charissa |last=Yong|date=2020-09-16|title=China acting as a safe haven for its cyber criminals, says US|url=https://www.straitstimes.com/world/united-states/us-charges-7-in-wide-ranging-chinese-hacking-effort|access-date=2020-09-17|website=The Straits Times|language=en}}</ref>

In 2019, the cybersecurity company [[Trellix|FireEye]] stated with high confidence that the group was sponsored by the [[Chinese Communist Party]] (CCP) while conducting operations for financial gain.<ref name=":0" /> The name “Double Dragon” originates from the duality of their operation, as they engage in espionage and individual financial gain.<ref>{{Cite web|title=[Video] State of the Hack: APT41 - Double Dragon: The Spy Who Fragged Me|url=https://content.fireeye.com/apt-41/video-state-of-the-hack-apt41|access-date=2021-05-29|website=FireEye|language=en}}</ref> The devices they use are usually used for state-sponsored intelligence.

Investigations conducted by FireEye have found APT 41 operations in multiple sectors, such as healthcare, telecommunications, and technology.<ref name=":0">{{cite report|url=https://content.fireeye.com/apt-41/rpt-apt41/|title=APT41: A Dual Espionage and Cyber Crime Operation|date=2019-08-07|publisher=FireEye|author-link=FireEye|access-date=2020-04-20}}</ref> The group conducts many of its financial activities in the video game industry, including development studios, distributors, and publishers.<ref name=":2">{{Citation|last1=Kendzierskyj|first1=Stefan|title=Critical National Infrastructure, C4ISR and Cyber Weapons in the Digital Age|date=2020|url=http://dx.doi.org/10.1007/978-3-030-35746-7_1|work=Advanced Sciences and Technologies for Security Applications|pages=3–21|place=Cham|publisher=Springer International Publishing|isbn=978-3-030-35745-0|access-date=2021-05-25|last2=Jahankhani|first2=Hamid|doi=10.1007/978-3-030-35746-7_1|s2cid=216513092}}</ref>


== Associated personnel ==
== Associated personnel ==
[[File:APT-41-Group-Cyber-Wanted-Web.pdf|thumb|An FBI wanted poster for 5 Chinese hackers associated with APT 41]]
[[File:APT-41-Group-Cyber-Wanted-Web.pdf|thumb|An FBI wanted poster for 5 Chinese hackers associated with APT 41]]
In their earlier activities, APT 41 has used domains registered to the monikers “Zhang Xuguang” ([[Simplified Chinese characters|simplified Chinese]]: 张旭光) and “Wolfzhi”. These online personas are associated with APT 41's operations and specific online Chinese language forums, although the number of other individuals working for the group is unknown.<ref name=":0" /> “Zhang Xuguang” has activity on the online forum Chinese Hackers Alliance (simplified Chinese: 华夏黑 客同盟). Information related to this individual includes his year of birth, 1989, and his former living in [[Inner Mongolia]] of PRC.<ref name=":4">{{Cite web|first=Max|last=Eddy|date=2019-08-07|title=APT41 Is Not Your Usual Chinese Hacker Group|url=https://au.pcmag.com/news/63066/apt41-is-not-your-usual-chinese-hacker-group|access-date=2021-05-29|website=PCMag Australia|language=en-au}}</ref> The persona has also posted on a forum regarding the [[Age of Wushu]] online game, using the moniker “injuriesa” in 2011.<ref name=":0" /> Emails and online domains associated with “Wolfzhi” also lead to a data science community profile. Forum posts also suggest that the individual is from [[Beijing]] or the nearby province, [[Hebei]].<ref name=":0" /><ref name=":4" />
In their earlier activities, APT 41 has used domains registered to the monikers "Zhang Xuguang" ([[Simplified Chinese characters|simplified Chinese]]: 张旭光) and "Wolfzhi". These online personas are associated with APT 41's operations and specific online Chinese language forums, although the number of other individuals working for the group is unknown.<ref name=":0" /> "Zhang Xuguang" has activity on the online forum Chinese Hackers Alliance (simplified Chinese: 华夏黑 客同盟). Information related to this individual includes his year of birth, 1989, and his former living in [[Inner Mongolia]] of PRC.<ref name=":4">{{Cite web|first=Max|last=Eddy|date=August 7, 2019|title=APT41 Is Not Your Usual Chinese Hacker Group|url=https://au.pcmag.com/news/63066/apt41-is-not-your-usual-chinese-hacker-group|access-date=2021-05-29|website=PCMag Australia|language=en-au|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602212359/https://au.pcmag.com/news/63066/apt41-is-not-your-usual-chinese-hacker-group|url-status=live}}</ref> The persona has also posted on a forum regarding the [[Age of Wushu]] online game, using the moniker "injuriesa" in 2011.<ref name=":0" /> Emails and online domains associated with "Wolfzhi" also lead to a data science community profile. Forum posts also suggest that the individual is from Beijing or the nearby province, [[Hebei]].<ref name=":0" /><ref name=":4" />


The [[Federal Bureau of Investigation|FBI]] has issued wanted posters for Haoran Zhang, Dailin Tan, Chuan Qian, Qiang Fu, and Lizhi Jiang, whom they have found to be linked with APT 41.<ref name=":3" /> Zhang and Tan were indicted on August 15, 2019, by the [[Grand jury|Grand Jury]] in the [[District of Columbia]] for charges associated with hacking offences, such as unauthorized access to protected computers, aggravated identity theft, money laundering and [[Mail and wire fraud|wire fraud.]]<ref name=":5">{{Cite news|date=2020-09-16|title=Chinese and Malaysian hackers charged by US over attacks|language=en-GB|work=BBC News|url=https://www.bbc.com/news/technology-54182769|access-date=2021-05-29}}</ref> These actions were conducted on high-tech companies, video-game companies and six unnamed individuals from the United States and the [[United Kingdom]] while the two worked together. The FBI also charged Qian, Fu, and Jiang on August 11, 2020, for [[racketeering]], money laundering, [[fraud]], and [[identity theft]].<ref name=":5" /> All three individuals were part of the management team of the Chengdu 404 Network Technology company, where the three and coworkers planned cyber attacks against companies and individuals in industries like communications, media, security, and government.<ref>{{Cite web|last=Geller|first=Eric|title=U.S. charges 5 Chinese hackers, 2 accomplices with broad campaign of cyberattacks|url=https://www.politico.com/news/2020/09/16/us-charges-chinese-hackers-cyberattacks-415954|access-date=2021-05-29|website=POLITICO|date=16 September 2020 |language=en}}</ref> Such operations were to occur in countries like the United States, [[Brazil]], [[Germany]], [[India]], [[Japan]], [[Sweden]], [[Indonesia]], [[Malaysia]], [[Pakistan]], [[Singapore]], [[South Korea]], [[Taiwan]], and [[Thailand]].<ref name=":3" />
The [[Federal Bureau of Investigation|FBI]] has issued wanted posters for Haoran Zhang, Dailin Tan, Chuan Qian, Qiang Fu, and Lizhi Jiang, whom they have found to be linked with APT 41.<ref name=":3" /> Zhang and Tan were indicted on August 15, 2019, by the [[Grand jury]] in the [[District of Columbia]] for charges associated with hacking offences, such as unauthorized access to protected computers, aggravated identity theft, money laundering and [[Mail and wire fraud|wire fraud.]]<ref name=":5">{{Cite news|date=September 16, 2020|title=Chinese and Malaysian hackers charged by US over attacks|language=en-GB|work=BBC News|url=https://www.bbc.com/news/technology-54182769|access-date=2021-05-29|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602215330/https://www.bbc.com/news/technology-54182769|url-status=live}}</ref> These actions were conducted on high-tech companies, video-game companies and six unnamed individuals from the United States and the United Kingdom while the two worked together. The FBI also charged Qian, Fu, and Jiang on August 11, 2020, for [[racketeering]], money laundering, fraud, and [[identity theft]].<ref name=":5" /> All three individuals were part of the management team of the Chengdu 404 Network Technology company, where the three and coworkers planned cyber attacks against companies and individuals in industries like communications, media, security, and government.<ref>{{Cite web|last=Geller|first=Eric|title=U.S. charges 5 Chinese hackers, 2 accomplices with broad campaign of cyberattacks|url=https://www.politico.com/news/2020/09/16/us-charges-chinese-hackers-cyberattacks-415954|access-date=2021-05-29|website=POLITICO|date=September 16, 2020|language=en|archive-date=2022-12-02|archive-url=https://web.archive.org/web/20221202050605/https://www.politico.com/news/2020/09/16/us-charges-chinese-hackers-cyberattacks-415954|url-status=live}}</ref> Such operations were to occur in countries like the United States, Brazil, Germany, India, Japan, Sweden, [[Indonesia]], [[Malaysia]], [[Pakistan]], Singapore, [[South Korea]], [[Taiwan]], and [[Thailand]].<ref name=":3" />


In August 2020, Wong Ong Hua and Ling Yang Ching, were both charged with racketeering, conspiracy, identity theft, aggravated identity theft and fraud amongst others.<ref name=":3" /> The United States Department of Justice says that the two Malaysian businessmen were working with the Chinese hackers to target video game companies in the United States, France, South Korea, Japan and Singapore and profit from these operations.<ref>{{Cite web|title=DOJ says five Chinese nationals hacked into 100 U.S. companies|url=https://www.nbcnews.com/politics/justice-department/doj-says-five-chinese-nationals-hacked-100-u-s-companies-n1240215|access-date=2021-05-29|website=NBC News|date=16 September 2020 |language=en}}</ref> These schemes, particularly a series of computer intrusions involving gaming industries, were conducted under the Malaysian company Sea Gamer Mall, which was founded by Wong.<ref name=":3" /> On September 14, 2020, Malaysian authorities arrested both individuals in Sitawan.<ref name=":3" />
In August 2020, Wong Ong Hua and Ling Yang Ching, were both charged with racketeering, conspiracy, identity theft, aggravated identity theft and fraud among others.<ref name=":3" /> The United States Department of Justice says that the two Malaysian businessmen were working with the Chinese hackers to target video game companies in the United States, France, South Korea, Japan and Singapore and profit from these operations.<ref>{{Cite web|title=DOJ says five Chinese nationals hacked into 100 U.S. companies|url=https://www.nbcnews.com/politics/justice-department/doj-says-five-chinese-nationals-hacked-100-u-s-companies-n1240215|access-date=2021-05-29|website=NBC News|date=September 16, 2020|language=en|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602212519/https://www.nbcnews.com/politics/justice-department/doj-says-five-chinese-nationals-hacked-100-u-s-companies-n1240215|url-status=live}}</ref> These schemes, particularly a series of computer intrusions involving gaming industries, were conducted under the Malaysian company Sea Gamer Mall, which was founded by Wong.<ref name=":3" /> On September 14, 2020, Malaysian authorities arrested both individuals in Sitawan.<ref name=":3" />


== Ties with Chinese government ==
== Ties with the Chinese government ==
{{Further|Cyberwarfare by China}}APT 41's operations are described as "[[Side job|moonlighting]]" due to their balance of [[espionage]] supported by the Chinese state and financially motivated activities outside of state authorization in their downtime.<ref name=":0" /><ref>{{Citation|last=Steffens|first=Timo|title=Advanced Persistent Threats|date=2020|url=http://dx.doi.org/10.1007/978-3-662-61313-9_1|work=Attribution of Advanced Persistent Threats|pages=3–21|place=Berlin, Heidelberg|publisher=Springer Berlin Heidelberg|doi=10.1007/978-3-662-61313-9_1|isbn=978-3-662-61312-2|s2cid=226742586|access-date=2021-05-25}}</ref><ref name=":9">{{Cite news|last=Bing|first=Joseph Menn, Jack Stubbs, Christopher|date=2019-08-07|title=Chinese government hackers suspected of moonlighting for profit|language=en|work=Reuters|url=https://www.reuters.com/article/us-china-cyber-moonlighters-idUSKCN1UX1JE|access-date=2021-05-29}}</ref> As such, it is harder to ascertain whether particular incidents are state-directed or not.<ref>{{Cite book|first=Jon|last=Bateman|url=http://worldcat.org/oclc/1229752520|title=War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions|publisher=Carnegie Endowment for International Peace|oclc=1229752520}}</ref> The organization has conducted multiple operations against 14 countries, most notably the United States. Such activities include incidents of [[tracking system|tracking]], the compromising of business [[supply chain]]s, and collecting [[surveillance]] data.<ref name=":1">{{cite arXiv |last=Kianpour |first= Mazaher |date=2021 |title=Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property -- The Case of APT41 |eprint=2103.04901 |class=cs.CR }}</ref> In 2022, APT 41 was linked to theft of at least $20 million in COVID-19 relief aid in the U.S.<ref>{{Cite news |last1=Fitzpatrick |first1=Sarah |last2=Ramgopal |first2=Kit |date=5 December 2022 |title=Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says |work=[[NBC News]] |url=https://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636 |access-date=5 December 2022}}</ref>
{{Further|Cyberwarfare by China}}APT 41's operations are described as "[[Side job|moonlighting]]" due to their balance of espionage supported by the Chinese state and financially motivated activities outside of state authorization in their downtime.<ref name=":0" /><ref>{{Citation|last=Steffens|first=Timo|title=Advanced Persistent Threats|date=2020|url=http://dx.doi.org/10.1007/978-3-662-61313-9_1|work=Attribution of Advanced Persistent Threats|pages=3–21|place=Berlin, Heidelberg|publisher=Springer Berlin Heidelberg|doi=10.1007/978-3-662-61313-9_1|isbn=978-3-662-61312-2|s2cid=226742586|access-date=2021-05-25}}</ref><ref name=":9">{{Cite news|last=Bing|first=Joseph Menn, Jack Stubbs, Christopher|date=August 7, 2019|title=Chinese government hackers suspected of moonlighting for profit|language=en|work=Reuters|url=https://www.reuters.com/article/us-china-cyber-moonlighters-idUSKCN1UX1JE|access-date=2021-05-29|archive-date=2021-05-31|archive-url=https://web.archive.org/web/20210531140739/https://www.reuters.com/article/us-china-cyber-moonlighters-idUSKCN1UX1JE|url-status=live}}</ref> As such, it is harder to ascertain whether particular incidents are state-directed or not.<ref>{{Cite book|first=Jon|last=Bateman|url=http://worldcat.org/oclc/1229752520|title=War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions|publisher=Carnegie Endowment for International Peace|oclc=1229752520}}</ref> The organization has conducted multiple operations against 14 countries, most notably the United States. Such activities include incidents of [[tracking system|tracking]], the compromising of business [[supply chain]]s, and collecting [[surveillance]] data.<ref name=":1">{{cite arXiv |last=Kianpour |first= Mazaher |date=2021 |title=Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property The Case of APT41 |eprint=2103.04901 |class=cs.CR }}</ref> In 2022, APT 41 was linked to theft of at least $20&nbsp;million in COVID-19 relief aid in the U.S.<ref>{{Cite news |last1=Fitzpatrick |first1=Sarah |last2=Ramgopal |first2=Kit |date=December 5, 2022 |title=Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says |work=[[NBC News]] |url=https://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636 |access-date=December 5, 2022 |archive-date=December 5, 2022 |archive-url=https://web.archive.org/web/20221205120455/https://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636 |url-status=live }}</ref>


APT 41 uses [[Cyber spying|cyber-espionage]] [[malware]] typically kept exclusive to the Chinese government.<ref>{{Citation|last1=Naughton|first1=Liam|title=Augmented Humanity: Data, Privacy and Security|date=2020|url=http://dx.doi.org/10.1007/978-3-030-35746-7_5|work=Advanced Sciences and Technologies for Security Applications|pages=73–93|place=Cham|publisher=Springer International Publishing|isbn=978-3-030-35745-0|access-date=2021-05-25|last2=Daly|first2=Herbert|doi=10.1007/978-3-030-35746-7_5|s2cid=216436285}}</ref> This characteristic is common for other advanced persistent threats, as this allows them to derive information to spy on high-profile targets or make contact with them to gain information that benefits [[national interest]].<ref>{{cite thesis |type=Msc |last=Lightfoot |first=Katie |date=2020 |title=Examining Chinese Cyber-Attacks: Targets and Threat Mitigations |publisher=Utica College |url=https://www.proquest.com/docview/2478472331|id={{ProQuest|2478472331}} }}</ref> APT 41 relation to the Chinese state can be evidenced by the fact that none of this information is on the [[dark web]] and may be obtained by the CCP.<ref>{{Cite journal|last=Chen|first=Ming Shen|date=2019|title=China's Data Collection on US Citizens:Implications, Risks, and Solutions|url=https://www.sciencepolicyjournal.org/uploads/5/4/3/4/5434385/chen_jspg_v15.pdf|journal=Journal of Science Policy & Governance|volume=15}}</ref>
APT 41 uses [[Cyber spying|cyber-espionage]] [[malware]] typically kept exclusive to the Chinese government.<ref>{{Citation|last1=Naughton|first1=Liam|title=Augmented Humanity: Data, Privacy and Security|date=2020|url=http://dx.doi.org/10.1007/978-3-030-35746-7_5|pages=73–93|place=Cham|publisher=Springer International Publishing|isbn=978-3-030-35745-0|access-date=2021-05-25|last2=Daly|first2=Herbert|series=Advanced Sciences and Technologies for Security Applications |doi=10.1007/978-3-030-35746-7_5|s2cid=216436285}}</ref> This characteristic is common for other advanced persistent threats, as this allows them to derive information to spy on high-profile targets or make contact with them to gain information that benefits [[national interest]].<ref>{{cite thesis |type=Msc |last=Lightfoot |first=Katie |date=2020 |title=Examining Chinese Cyber-Attacks: Targets and Threat Mitigations |publisher=Utica College |url=https://www.proquest.com/docview/2478472331 |id={{ProQuest|2478472331}} |access-date=2021-05-25 |archive-date=2022-03-31 |archive-url=https://web.archive.org/web/20220331080950/https://www.proquest.com/docview/2478472331 |url-status=live }}</ref> APT 41 relation to the Chinese state can be evidenced by the fact that none of this information is on the [[dark web]] and may be obtained by the CCP.<ref>{{Cite journal|last=Chen|first=Ming Shen|date=2019|title=China's Data Collection on US Citizens:Implications, Risks, and Solutions|url=https://www.sciencepolicyjournal.org/uploads/5/4/3/4/5434385/chen_jspg_v15.pdf|journal=Journal of Science Policy & Governance|volume=15|access-date=2021-05-25|archive-date=2021-01-27|archive-url=https://web.archive.org/web/20210127062642/http://www.sciencepolicyjournal.org/uploads/5/4/3/4/5434385/chen_jspg_v15.pdf|url-status=live}}</ref>


APT 41 targeting is consistent with the Chinese government's national plans to move into high research and development fields and increase production capabilities. Such initiatives coincide with the Chinese government's [[Made in China 2025]] plan, aiming to move Chinese production into high-value fields such as [[pharmacy]], [[Semiconductor|semi-conductors]], and other [[High tech|high-tech]] sectors.<ref name=":0" /><ref>{{cite press release
APT 41 targeting is consistent with the Chinese government's national plans to move into high research and development fields and increase production capabilities. Such initiatives coincide with the Chinese government's "[[Made in China 2025]]" plan, aiming to move Chinese production into high-value fields such as [[pharmacy]], [[Semiconductor|semi-conductors]], and other [[High tech|high-tech]] sectors.<ref name=":0" /><ref>{{cite press release
| author = <!--Not stated-->
|author = <!--Not stated-->
| title = Potential for China Cyber Response to Heightened U.S.–China Tensions
|title = Potential for China Cyber Response to Heightened U.S.–China Tensions
| url = https://us-cert.cisa.gov/ncas/alerts/aa20-275a
|url = https://us-cert.cisa.gov/ncas/alerts/aa20-275a
| location = Rosslyn
|location = Rosslyn
| agency = Cybersecurity and Infrastructure Security Agency
|agency = Cybersecurity and Infrastructure Security Agency
| date = October 1, 2020
|date = October 1, 2020
| access-date = April 20, 2021
|access-date = April 20, 2021
|archive-date = April 20, 2021
|archive-url = https://web.archive.org/web/20210420112530/https://us-cert.cisa.gov/ncas/alerts/aa20-275a
|url-status = live
}}</ref>
}}</ref>


FireEye has also evaluated with moderate confidence that APT 41 may engage in contract work associated with the Chinese government. Identified personas associated with the group have previously advertised their skills as hackers for hire. Their usage of HOMEUNIX and PHOTO in their personal and financially motivated operations, which are malware inaccessible to the public used by other state-sponsored espionage actors also evidences this stance.<ref name=":0" /> It is also recognized in China that more skilled hackers tend to work in the private sector under government contracts due to the higher pay.<ref>{{Cite news|last=Wong|first=Edward|date=2013-05-22|title=Hackers Find China Is Land of Opportunity|language=en-US|work=The New York Times|url=https://www.nytimes.com/2013/05/23/world/asia/in-china-hacking-has-widespread-acceptance.html|access-date=2021-05-25|issn=0362-4331}}</ref> The FireEye report also noted that the Chinese state has depended on contractors to assist with other state operations focused on cyber-espionage, as demonstrated by prior Chinese advanced persistent threats like [[APT 10]].<ref name=":0" /><ref>{{Cite web|last=Lyall|first=Nicholas|date=2018-03-01|title=China's Cyber Militias|url=https://thediplomat.com/2018/03/chinas-cyber-militias/|url-status=live|access-date=2021-05-25|website=thediplomat.com|language=en-US|archive-url=https://web.archive.org/web/20180302221546/https://thediplomat.com/2018/03/chinas-cyber-militias/ |archive-date=2018-03-02 }}</ref> APT 41 is viewed by some as potentially made up of skilled Chinese citizens, who are utilized and employed by the Chinese government, leading to the assumptions that members of the group often work two jobs, which is supported by their operating hours.<ref name=":0" /><ref name=":6">{{cite report
FireEye has also evaluated with moderate confidence that APT 41 may engage in contract work associated with the Chinese government. Identified personas associated with the group have previously advertised their skills as hackers for hire. Their usage of HOMEUNIX and PHOTO in their personal and financially motivated operations, which are malware inaccessible to the public used by other state-sponsored espionage actors also evidences this stance.<ref name=":0" /> It is also recognized in China that more skilled hackers tend to work in the private sector under government contracts due to the higher pay.<ref>{{Cite news|last=Wong|first=Edward|date=May 22, 2013|title=Hackers Find China Is Land of Opportunity|language=en-US|work=The New York Times|url=https://www.nytimes.com/2013/05/23/world/asia/in-china-hacking-has-widespread-acceptance.html|access-date=2021-05-25|issn=0362-4331|archive-date=2021-05-25|archive-url=https://web.archive.org/web/20210525112247/https://www.nytimes.com/2013/05/23/world/asia/in-china-hacking-has-widespread-acceptance.html|url-status=live}}</ref> The FireEye report also noted that the Chinese state has depended on contractors to assist with other state operations focused on cyber-espionage, as demonstrated by prior Chinese advanced persistent threats like [[APT 10]].<ref name=":0" /><ref>{{Cite web|last=Lyall|first=Nicholas|date=March 1, 2018|title=China's Cyber Militias|url=https://thediplomat.com/2018/03/chinas-cyber-militias/|url-status=live|access-date=2021-05-25|website=thediplomat.com|language=en-US|archive-url=https://web.archive.org/web/20180302221546/https://thediplomat.com/2018/03/chinas-cyber-militias/ |archive-date=2018-03-02 }}</ref> APT 41 is viewed by some as potentially made up of skilled Chinese citizens, who are used and employed by the Chinese government, leading to the assumptions that members of the group often work two jobs, which is supported by their operating hours.<ref name=":0" /><ref name=":6">{{cite report
| author = Cyber Intelligence Lab - Macquarie University
| author =
| author-link =
| authors =
| date = 2020
| date = 2020
| title = Australian Universities under Attack: A CiLab PACE Project
| title = Australian Universities under Attack: A CiLab PACE Project
| url = https://www.mq.edu.au/__data/assets/pdf_file/0010/1104886/Australian_Universities_Under_Attack_White_Paper_Dec2020_Final.pdf
| url = https://www.mq.edu.au/__data/assets/pdf_file/0010/1104886/Australian_Universities_Under_Attack_White_Paper_Dec2020_Final.pdf
| publisher = Macquarie University
| publisher = Macquarie University
| format =
| format =
| edition =
| edition =
| location =
| location =
| chapter =
| chapter =
| section =
| section =
| page =
| page =
| pages =
| pages =
| docket =
| docket =
| access-date =
| access-date =
| quote =
| quote =
| archive-date = May 4, 2021
}}</ref>
| archive-url = https://web.archive.org/web/20210504045023/https://www.mq.edu.au/__data/assets/pdf_file/0010/1104886/Australian_Universities_Under_Attack_White_Paper_Dec2020_Final.pdf
| url-status = live
}}</ref>


== Techniques ==
== Techniques ==
The operating techniques of APT 41 are distinct, particularly in their usage of passive [[Backdoor (computing)|backdoors]] compared to traditional ones. While traditional backdoors utilized by other advanced persistent threats are easily detectable, this technique is often much harder to identify.<ref name=":0" /> Techniques applied in financially motivated APT 41 activity also include software [[Supply chain attack|supply-chain compromises]]. This has allowed them to implement injected codes into legitimate files to be distributed, which endanger other organizations by stealing data and altering systems.<ref>{{Cite journal|last1=Kim|first1=Bong-Jae|last2=Lee|first2=Seok-Won|date=2020|title=Understanding and recommending security requirements from problem domain ontology: A cognitive three-layered approach|url=http://dx.doi.org/10.1016/j.jss.2020.110695|journal=Journal of Systems and Software|volume=169|pages=110695|doi=10.1016/j.jss.2020.110695|s2cid=221592911|issn=0164-1212}}</ref> Sophisticated malware is often deployed as well to remain undetected while extracting data.<ref name=":6" /> [[Bootkit]]s are also a type of malware used by the group, which is both difficult to detect and harder to find amongst other cyber espionage and [[cybercrime]] groups, making it harder for security systems to detect malicious code.<ref name=":0" /> They also used Deadeye launcher and Lowkey malware to perform instant reconnaissance while remaining undetected.<ref>{{Cite web |last=capsnetdroff |date=2022-08-04 |title=Decoding Chinese Hacking Syndicate – APT 41 |url=https://capsindia.org/decoding-chinese-hacking-syndicate-apt-41/ |access-date=2023-05-02 |website=CAPS India |language=en-US}}</ref>
The operating techniques of APT 41 are distinct, particularly in their usage of passive [[Backdoor (computing)|backdoors]] compared to traditional ones. While traditional backdoors used by other advanced persistent threats are easily detectable, this technique is often much harder to identify.<ref name=":0" /> Techniques applied in financially motivated APT 41 activity also include software [[Supply chain attack|supply-chain compromises]]. This has allowed them to implement injected codes into legitimate files to be distributed, which endanger other organizations by stealing data and altering systems.<ref>{{Cite journal|last1=Kim|first1=Bong-Jae|last2=Lee|first2=Seok-Won|date=2020|title=Understanding and recommending security requirements from problem domain ontology: A cognitive three-layered approach|url=http://dx.doi.org/10.1016/j.jss.2020.110695|journal=Journal of Systems and Software|volume=169|pages=110695|doi=10.1016/j.jss.2020.110695|s2cid=221592911|issn=0164-1212}}</ref> Sophisticated malware is often deployed as well to remain undetected while extracting data.<ref name=":6" /> [[Bootkit]]s are also a type of malware used by the group, which is both difficult to detect and harder to find among other cyber espionage and [[cybercrime]] groups, making it harder for security systems to detect malicious code.<ref name=":0" /> They also used Deadeye launcher and Lowkey malware to perform instant reconnaissance while remaining undetected.<ref>{{Cite web |last=capsnetdroff |date=August 4, 2022 |title=Decoding Chinese Hacking Syndicate – APT 41 |url=https://capsindia.org/decoding-chinese-hacking-syndicate-apt-41/ |access-date=2023-05-02 |website=CAPS India |language=en-US |archive-date=2023-05-02 |archive-url=https://web.archive.org/web/20230502173730/https://capsindia.org/decoding-chinese-hacking-syndicate-apt-41/ |url-status=live }}</ref>


Spear-phishing emails are regularly utilized by APT 41 across both cyber espionage and financial attacks.<ref name=":2" /> The group has sent many misleading emails which attempt to take information from high-level targets after gathering personal data to increase the likelihood of success.<ref>{{Cite journal|last=O'Leary|first=Daniel E.|date=2019|title=What Phishing E-mails Reveal: An Exploratory Analysis of Phishing Attempts Using Text Analyzes|url=http://dx.doi.org/10.2139/ssrn.3427436|journal=SSRN Electronic Journal|doi=10.2139/ssrn.3427436|s2cid=239250225|issn=1556-5068}}</ref> Targets have varied from [[Media (communication)|media]] groups for espionage activities to [[bitcoin]] exchanges for financial gain.<ref name=":0" />
Spear-phishing emails are regularly used by APT 41 across both cyber espionage and financial attacks.<ref name=":2" /> The group has sent many misleading emails which attempt to take information from high-level targets after gathering personal data to increase the likelihood of success.<ref>{{Cite journal|last=O'Leary|first=Daniel E.|date=2019|title=What Phishing E-mails Reveal: An Exploratory Analysis of Phishing Attempts Using Text Analyzes|url=http://dx.doi.org/10.2139/ssrn.3427436|journal=SSRN Electronic Journal|doi=10.2139/ssrn.3427436|s2cid=239250225|issn=1556-5068|access-date=2021-05-25|archive-date=2021-03-21|archive-url=https://web.archive.org/web/20210321122456/https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3427436|url-status=live}}</ref> Targets have varied from media groups for espionage activities to [[bitcoin]] exchanges for financial gain.<ref name=":0" />


== Activities ==
== Activities ==
'''Espionage Activity'''
'''Espionage activity'''


APT 41's targeting is deemed by FireEye to correlate with China's national strategies and goals, particularly those regarding technology.<ref name=":0" /><ref name=":6" /><ref name=":7">{{Cite web|last=Doffman|first=Zak|title=Spies By Day, Thieves By Night—China's Hackers Using Espionage Tools For Personal Gain: Report|url=https://www.forbes.com/sites/zakdoffman/2019/08/07/chinese-state-hackers-attack-video-games-and-cryptocurrencies-for-after-hours-personal-gain/|access-date=2021-05-29|website=Forbes|language=en}}</ref> The targeting of tech firms align with Chinese interest in developing high-tech instruments domestically, as demonstrated by the 12th and 13th Five-Year Plans.<ref name=":0" /> The attack on organizations in various different sectors is believed by FireEye to be indicative of APT 41 fulfilling specifically assigned tasks. Campaigns attributed to APT 41 also demonstrates that the group is used to obtain information before major political and financial events.<ref name=":0" /><ref name=":7" /> They have attacked companies in 14 different countries (and Hong Kong) including France, India, Italy, Japan, Myanmar, the Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, the United Kingdom, and the United States.<ref name=":14">{{Cite web |last=XTI |first=SOCRadar |date=2022-03-15 |title=Deep Web Profile: APT41/Double Dragon |url=https://socradar.io/5-facts-you-should-know-about-apt41-double-dragon/ |access-date=2023-05-02 |website=SOCRadar® Cyber Intelligence Inc. |language=en-US}}</ref> They have also been discovered in several different industries, including healthcare, telecommunications, and technology.<ref name=":14" />
APT 41's targeting is deemed by FireEye to correlate with China's national strategies and goals, particularly those regarding technology.<ref name=":0" /><ref name=":6" /><ref name=":7">{{Cite web|last=Doffman|first=Zak|title=Spies By Day, Thieves By Night—China's Hackers Using Espionage Tools For Personal Gain: Report|url=https://www.forbes.com/sites/zakdoffman/2019/08/07/chinese-state-hackers-attack-video-games-and-cryptocurrencies-for-after-hours-personal-gain/|access-date=2021-05-29|website=Forbes|language=en|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602214536/https://www.forbes.com/sites/zakdoffman/2019/08/07/chinese-state-hackers-attack-video-games-and-cryptocurrencies-for-after-hours-personal-gain/|url-status=live}}</ref> The targeting of tech firms align with Chinese interest in developing high-tech instruments domestically, as demonstrated by the 12th and 13th Five-Year Plans.<ref name=":0" /> The attack on organizations in various different sectors is believed by FireEye to be indicative of APT 41 fulfilling specifically assigned tasks. Campaigns attributed to APT 41 also demonstrates that the group is used to obtain information before major political and financial events.<ref name=":0" /><ref name=":7" /> They have attacked companies in 14 different countries (and Hong Kong) including France, India, Italy, Japan, Myanmar, the Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, the United Kingdom, and the United States.<ref name=":14">{{Cite web |last=XTI |first=SOCRadar |date=March 15, 2022 |title=Deep Web Profile: APT41/Double Dragon |url=https://socradar.io/5-facts-you-should-know-about-apt41-double-dragon/ |access-date=2023-05-02 |website=SOCRadar Cyber Intelligence Inc. |language=en-US |archive-date=2023-05-02 |archive-url=https://web.archive.org/web/20230502163923/https://socradar.io/5-facts-you-should-know-about-apt41-double-dragon/ |url-status=live }}</ref> They have also been discovered in several different industries, including healthcare, telecommunications, and technology.<ref name=":14" />


The German company [[TeamViewer AG]], behind the popular software of the same name which allowed system control remotely, was hacked in June 2016 by APT 41 according to a FireEye security conference.<ref name=":13" /> The group was able to access the systems of TeamViewer users around the world and obtain management details and information regarding businesses.<ref name=":13">{{Cite book|last1=Hu|first1=Chunhui|last2=Zhang|first2=Ling|last3=Luo|first3=Xian|last4=Chen|first4=Jianfeng|title=Proceedings of the 2020 3rd International Conference on Geoinformatics and Data Analysis |chapter=Research of Global Strategic Cyberspace Security Risk Evaluation System Based on Knowledge Service |date=2020-04-15|chapter-url=http://dx.doi.org/10.1145/3397056.3397084|series=Icgda 2020|pages=140–146|location=New York, NY, USA|publisher=ACM|doi=10.1145/3397056.3397084|isbn=978-1-4503-7741-6|s2cid=220281616}}</ref> In 2021 APT 41 launched several phishing scams in India that were found by the BlackBerry Research and Intelligence. They also stole data relating to new tax legislation and COVID-19 records and statistics. The group masked their identity to be the Indian government so that they would remain undetected.<ref>{{Cite web |last=capsnetdroff |date=2022-08-04 |title=Decoding Chinese Hacking Syndicate – APT 41 |url=https://capsindia.org/decoding-chinese-hacking-syndicate-apt-41/ |access-date=2023-05-02 |website=CAPS India |language=en-US}}</ref>
The German company [[TeamViewer AG]], behind the popular software of the same name which allowed system control remotely, was hacked in June 2016 by APT 41 according to a FireEye security conference.<ref name=":13" /> The group was able to access the systems of TeamViewer users around the world and obtain management details and information regarding businesses.<ref name=":13">{{Cite book|last1=Hu|first1=Chunhui|last2=Zhang|first2=Ling|last3=Luo|first3=Xian|last4=Chen|first4=Jianfeng|title=Proceedings of the 2020 3rd International Conference on Geoinformatics and Data Analysis |chapter=Research of Global Strategic Cyberspace Security Risk Evaluation System Based on Knowledge Service |date=April 15, 2020|chapter-url=http://dx.doi.org/10.1145/3397056.3397084|series=Icgda 2020|pages=140–146|location=New York, NY, USA|publisher=ACM|doi=10.1145/3397056.3397084|isbn=978-1-4503-7741-6|s2cid=220281616}}</ref> In 2021 APT 41 launched several phishing scams in India that were found by the [[BlackBerry Limited|BlackBerry Research and Intelligence]]. They also stole data relating to [[New Tax Regime|new tax legislation]] and [[Statistics of the COVID-19 pandemic in India|COVID-19 records and statistics]]. The group masked their identity to be the [[Government of India|Indian government]] so that they would remain undetected.<ref>{{Cite web |last=capsnetdroff |date=August 4, 2022 |title=Decoding Chinese Hacking Syndicate – APT 41 |url=https://capsindia.org/decoding-chinese-hacking-syndicate-apt-41/ |access-date=2023-05-02 |website=CAPS India |language=en-US |archive-date=2023-05-02 |archive-url=https://web.archive.org/web/20230502173730/https://capsindia.org/decoding-chinese-hacking-syndicate-apt-41/ |url-status=live }}</ref>


'''Financially Motivated Activities'''
'''Financially motivated activities'''


APT 41 has targeted the video-game industry for the majority of its activity focused on financial gain.<ref name=":0" /> Chinese internet forums indicated that associated members linked to APT 41 have advertised their hacking skills outside of Chinese office hours for their own profits.<ref name=":6" /> In one FireEye reported case, the group was able to generate virtual game currency and sell it to buyers through underground markets and [[Money laundering|laundering]] schemes,<ref name=":3">{{cite press release
APT 41 has targeted the video-game industry for the majority of its activity focused on financial gain.<ref name=":0" /> Chinese internet forums indicated that associated members linked to APT 41 have advertised their hacking skills outside of Chinese office hours for their own profits.<ref name=":6" /> In one FireEye reported case, the group was able to generate virtual game currency and sell it to buyers through underground markets and [[Money laundering|laundering]] schemes,<ref name=":3">{{cite press release
| author = <!--Not stated-->
|author = <!--Not stated-->
| title = Seven International Cyber Defendants, Including "Apt41" Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally
|title = Seven International Cyber Defendants, Including "Apt41" Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally
| url = https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer
|url = https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer
| location = Washington
|location = Washington
| agency = United States Department of Justice
|agency = United States Department of Justice
| date = September 16, 2020
|date = September 16, 2020
| access-date = April 20, 2021
|access-date = April 20, 2021
|archive-date = December 6, 2022
|archive-url = https://web.archive.org/web/20221206160651/https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer
|url-status = live
}}</ref><ref name=":0" /><ref name=":1" /> which could have been sold for up to US$300,000.<ref name=":7" /> Although it is not a typical method used by the group for collecting money, APT 41 also attempted to deploy [[ransomware]] to profit from their operations.<ref name=":0" />
}}</ref><ref name=":0" /><ref name=":1" /> which could have been sold for up to US$300,000.<ref name=":7" /> Although it is not a typical method used by the group for collecting money, APT 41 also attempted to deploy [[ransomware]] to profit from their operations.<ref name=":0" />


FireEye reports that because most of APT 41's financially motivated activity occurs later in the night or early in the morning, this could mean that these activities are completely unrelated to their espionage activities.<ref name=":0" /> FireEye reports that APT 41's activities are on average between 10:00 to 23:00 [[China Standard Time]], which is typical for Chinese tech workers who follow a [[996 working hour system|996]] work schedule.<ref name=":0" />
FireEye reports that because most of APT 41's financially motivated activity occurs later in the night or early in the morning, this could mean that these activities are completely unrelated to their espionage activities.<ref name=":0" /> FireEye reports that APT 41's activities are on average between 10:00 to 23:00 [[China Standard Time]], which is typical for Chinese tech workers who follow a "[[996 working hour system|996]]" work schedule.<ref name=":0" />


APT 41 uses [[Public key certificate|digital certificates]] obtained from video game developers and producers to sign their malware.<ref name=":3" /><ref>{{Cite web|title=Software Supply Chain Attacks {{!}} CISA|url=https://www.cisa.gov/publication/software-supply-chain-attacks|access-date=2021-05-29|website=www.cisa.gov|date=20 May 2021 }}</ref> Through the application of over 19 different digital certificates, they target both gaming and non-gaming organizations to avoid detection and ensure compatibility with the systems of the target.<ref name=":0" /> In 2012, a certificate from a South Korean game publisher was leveraged by APT 41 to sign the malware they use against other members of the gaming industry.<ref name=":0" /> In 2021 APT 41 launched a series of attacks against the illegal gambling industry in China.<ref>{{cite web |last1=Starks |first1=Tim |title=Suspected Chinese hackers return with unusual attacks on domestic gambling companies |url=https://www.cyberscoop.com/winnti-trend-micro-china-gambling/ |website=www.cyberscoop.com |date=12 July 2021 |publisher=Cyberscoop |access-date=17 July 2021}}</ref>
APT 41 uses [[Public key certificate|digital certificates]] obtained from video game developers and producers to sign their malware.<ref name=":3" /><ref>{{Cite web|title=Software Supply Chain Attacks {{!}} CISA|url=https://www.cisa.gov/publication/software-supply-chain-attacks|access-date=2021-05-29|website=www.cisa.gov|date=May 20, 2021|archive-date=2021-05-24|archive-url=https://web.archive.org/web/20210524155403/https://www.cisa.gov/publication/software-supply-chain-attacks|url-status=live}}</ref> Through the application of over 19 different digital certificates, they target both gaming and non-gaming organizations to avoid detection and ensure compatibility with the systems of the target.<ref name=":0" /> In 2012, a certificate from a South Korean game publisher was leveraged by APT 41 to sign the malware they use against other members of the gaming industry.<ref name=":0" /> In 2021 APT 41 launched a series of attacks against the [[Gambling in China|illegal gambling industry in China]].<ref>{{cite web |last1=Starks |first1=Tim |title=Suspected Chinese hackers return with unusual attacks on domestic gambling companies |url=https://www.cyberscoop.com/winnti-trend-micro-china-gambling/ |website=www.cyberscoop.com |date=July 12, 2021 |publisher=Cyberscoop |access-date=July 17, 2021 |archive-date=July 17, 2021 |archive-url=https://web.archive.org/web/20210717013554/https://www.cyberscoop.com/winnti-trend-micro-china-gambling/ |url-status=live }}</ref>


== US Department of Justice ==
== U.S. Department of Justice ==
On the 16th of September 2020, The United States Department of Justice released previously sealed charges against 5 Chinese and 2 Malaysian citizens for hacking more than 100 companies across the world.<ref name=":3" /><ref name=":10">{{Cite web|title=DOJ Indicts Chinese Hackers for Break-Ins at 100 Companies (3)|url=https://news.bloomberglaw.com/white-collar-and-criminal-law/doj-says-chinese-hackers-indicted-for-break-ins-at-100-companies|access-date=2021-05-29|website=news.bloomberglaw.com|language=en}}</ref> These include firms involved in social-media, universities, telecommunications providers, software development, computer hardware, video-games, non-profit organizations, think tanks, foreign governments, and pro-democracy supporters in Hong Kong.<ref name=":3" /><ref name=":11">{{Cite news|last=O’Keeffe|first=Dustin Volz, Aruna Viswanatha and Kate|date=2020-09-16|title=U.S. Charges Chinese Nationals in Cyberattacks on More Than 100 Companies|language=en-US|work=Wall Street Journal|url=https://www.wsj.com/articles/justice-department-unseals-indictments-alleging-chinese-hacking-against-u-s-international-firms-11600269024|access-date=2021-05-29|issn=0099-9660}}</ref> The attacks were said to have involved the theft of code, code signing certificates, customer data and business information.<ref name=":10" /> Deputy Attorney General [[Jeffrey A. Rosen|Jeffrey Rosen]] says that these actions involved having the hackers plant “back-doors” into software which allowed direct access to the systems of the software provider's company.<ref name=":12">{{Cite web|last=Johnson|first=Kevin|title=5 Chinese citizens at large, 2 Malaysian suspects arrested in global hacking campaign targeting gaming|url=https://www.usatoday.com/story/news/politics/2020/09/16/5-chinese-citizens-large-alleged-apt-41-global-hacking-campaign/5817820002/|access-date=2021-05-29|website=USA TODAY|language=en-US}}</ref> Two of the Chinese hackers also conducted attacks on the US gaming industry, which involved at least 6 companies in [[New York (state)|New York]], [[Texas]], [[Washington (state)|Washington]], [[Illinois]], [[California]], and the United Kingdom.<ref name=":10" />
On September 16, 2020, the [[United States Department of Justice]] released previously sealed charges against 5 Chinese and 2 Malaysian citizens for hacking more than 100 companies across the world.<ref name=":3" /><ref name=":10">{{Cite web|title=DOJ Indicts Chinese Hackers for Break-Ins at 100 Companies (3)|url=https://news.bloomberglaw.com/white-collar-and-criminal-law/doj-says-chinese-hackers-indicted-for-break-ins-at-100-companies|access-date=2021-05-29|website=news.bloomberglaw.com|language=en|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602214623/https://news.bloomberglaw.com/white-collar-and-criminal-law/doj-says-chinese-hackers-indicted-for-break-ins-at-100-companies|url-status=live}}</ref> These include firms involved in social-media, universities, telecommunications providers, software development, computer hardware, video-games, non-profit organizations, think tanks, foreign governments, and pro-democracy supporters in Hong Kong.<ref name=":3" /><ref name=":11">{{Cite news|last=O’Keeffe|first=Dustin Volz, Aruna Viswanatha and Kate|date=September 16, 2020|title=U.S. Charges Chinese Nationals in Cyberattacks on More Than 100 Companies|language=en-US|work=Wall Street Journal|url=https://www.wsj.com/articles/justice-department-unseals-indictments-alleging-chinese-hacking-against-u-s-international-firms-11600269024|access-date=2021-05-29|issn=0099-9660|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602212627/https://www.wsj.com/articles/justice-department-unseals-indictments-alleging-chinese-hacking-against-u-s-international-firms-11600269024|url-status=live}}</ref> The attacks were said to have involved the theft of code, code signing certificates, customer data and business information.<ref name=":10" /> Deputy Attorney General [[Jeffrey A. Rosen|Jeffrey Rosen]] says that these actions involved having the hackers plant "back-doors" into software which allowed direct access to the systems of the software provider's company.<ref name=":12">{{Cite web|last=Johnson|first=Kevin|title=5 Chinese citizens at large, 2 Malaysian suspects arrested in global hacking campaign targeting gaming|url=https://www.usatoday.com/story/news/politics/2020/09/16/5-chinese-citizens-large-alleged-apt-41-global-hacking-campaign/5817820002/|access-date=2021-05-29|website=USA TODAY|language=en-US|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602212620/https://www.usatoday.com/story/news/politics/2020/09/16/5-chinese-citizens-large-alleged-apt-41-global-hacking-campaign/5817820002/|url-status=live}}</ref> Two of the Chinese hackers also conducted attacks on the US gaming industry, which involved at least 6 companies in New York, Texas, [[Washington (state)|Washington]], Illinois, California, and the United Kingdom.<ref name=":10" />


The [[US District Court]] for the District of Columbia distributed warrants calling for the seizure of accounts, servers, domain names, and web pages used by the hackers to conduct their operations. The FBI had the responsibility of executing the warrants as well as other private sector companies.<ref name=":3" /> Microsoft also developed technical measures to prevent continued access to computer systems of victims. The [[Federal Bureau of Investigation]] released a report containing technical information that can be used by private sector groups.<ref name=":3" />
The [[U.S. District Court]] for the District of Columbia distributed warrants calling for the seizure of accounts, servers, domain names, and web pages used by the hackers to conduct their operations. The [[FBI]] had the responsibility of executing the warrants as well as other private sector companies.<ref name=":3" /> Microsoft also developed technical measures to prevent continued access to computer systems of victims. The Federal Bureau of Investigation released a report containing technical information that can be used by private sector groups.<ref name=":3" />


The Justice Department congratulated the Malaysian government, particularly the Attorney General's Chambers of Malaysia and the [[Royal Malaysia Police]], in cooperating and aiding their arrest of the two Malay nationals, particularly since difficulties lie in arresting foreign hackers in general.<ref name=":3" /><ref name=":11" /> The press release mentioned [[Microsoft]], [[Google]], [[Facebook]] and [[Verizon Media]] as groups which helped their investigation.<ref name=":3" /> The FBI also credited the Taiwanese [[Ministry of Justice Investigation Bureau]], which helped provide information to US authorities after discovering APT 41 servers set up in California.<ref>{{Cite web|title=Taiwan, US nail Chinese hackers behind mass cyberattacks|url=https://www.taiwannews.com.tw/en/news/4011853|access-date=2021-05-29|website=Taiwan News|date=18 September 2020}}</ref><ref>{{Cite web|title=FBI agent thanks Taiwan for help in indicting Chinese hackers - Focus Taiwan|url=https://focustaiwan.tw/politics/202009180012|access-date=2021-05-29|website=focustaiwan.tw|language=zh-Hant-TW}}</ref>
The Justice Department congratulated the Malaysian government, particularly the Attorney General's Chambers of Malaysia and the [[Royal Malaysia Police]], in cooperating and aiding their arrest of the two Malay nationals, particularly since difficulties lie in arresting foreign hackers in general.<ref name=":3" /><ref name=":11" /> The press release mentioned Microsoft, Google, Facebook and [[Verizon Media]] as groups which helped their investigation.<ref name=":3" /> The FBI also credited the Taiwanese [[Ministry of Justice Investigation Bureau]], which helped provide information to US authorities after discovering APT 41 servers set up in California.<ref>{{Cite web|title=Taiwan, US nail Chinese hackers behind mass cyberattacks|url=https://www.taiwannews.com.tw/en/news/4011853|access-date=2021-05-29|website=Taiwan News|date=September 18, 2020|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602213757/https://www.taiwannews.com.tw/en/news/4011853|url-status=live}}</ref><ref>{{Cite web|title=FBI agent thanks Taiwan for help in indicting Chinese hackers Focus Taiwan|url=https://focustaiwan.tw/politics/202009180012|access-date=2021-05-29|website=focustaiwan.tw|date=September 18, 2020|language=zh-Hant-TW|archive-date=2021-06-02|archive-url=https://web.archive.org/web/20210602214409/https://focustaiwan.tw/politics/202009180012|url-status=live}}</ref>


Contrastingly, Rosen criticizes the Chinese Communist Party in their inaction when it came to assisting the FBI for the arrest of the 5 Chinese hackers associated with APT 41.<ref name=":11" /><ref name=":12" /> Rosen also claimed that the Chinese Communist Party was “making China safe for their cyber criminals” as they continue to assist them in espionage.<ref name=":12" /> Chinese Foreign Ministry spokesman [[Wang Wenbin]] says that the US uses its own cybersecurity issues to “attack China” through spreading false information, and political manipulation.<ref name=":10" />
Contrastingly, Rosen criticized the Chinese Communist Party in their inaction when it came to assisting the FBI for the arrest of the 5 Chinese hackers associated with APT 41.<ref name=":11" /><ref name=":12" /> Rosen also claimed that the Chinese Communist Party was "making China safe for their cyber criminals" as they continue to assist them in espionage.<ref name=":12" /> Chinese Foreign Ministry spokesman [[Wang Wenbin]] says that the US uses its own cybersecurity issues to "attack China" through spreading false information, and political manipulation.<ref name=":10" />


This announcement was made during [[Donald Trump|President Donald Trump's]] re-election campaign, associating the Chinese Communist Party with various cyber-espionage attacks. Alongside [[Russia]] and [[Iran]], China was identified in a national threat assessment to the election.<ref name=":12" /><ref>{{cite press release |last=Evanina |first=William |date=2020-08-07 |title=STATEMENT BY NCSC DIRECTOR WILLIAM EVANINA: ELECTION THREAT UPDATE FOR THE AMERICAN PUBLIC |url=https://www.dni.gov/index.php/newsroom/press-releases/item/2139-statement-by-ncsc-director-william-evanina-election-threat-update-for-the-american-public |agency= Office of the Director of National Intelligence|access-date=2021-05-29}}</ref>
This announcement was made during President [[Donald Trump 2020 presidential campaign|Donald Trump's re-election campaign]], associating the Chinese Communist Party with various cyber-espionage attacks. Alongside Russia and Iran, China was identified in a national threat assessment to the election.<ref name=":12" /><ref>{{cite press release |last=Evanina |first=William |date=August 7, 2020 |title=STATEMENT BY NCSC DIRECTOR WILLIAM EVANINA: ELECTION THREAT UPDATE FOR THE AMERICAN PUBLIC |url=https://www.dni.gov/index.php/newsroom/press-releases/item/2139-statement-by-ncsc-director-william-evanina-election-threat-update-for-the-american-public |agency=Office of the Director of National Intelligence |access-date=2021-05-29 |archive-date=2020-11-19 |archive-url=https://web.archive.org/web/20201119071549/https://www.dni.gov/index.php/newsroom/press-releases/item/2139-statement-by-ncsc-director-william-evanina-election-threat-update-for-the-american-public |url-status=live }}</ref>


== Links with other groups ==
== Links with other groups ==
APT 41 has overlaps in activity with public reporting on other groups such as Barium and Winnti.<ref name=":8" /> In terms of technique, there are many overlaps in digital certificates and malware. According to FireEye, one of the most prominent similarities is the use of similar malware, particularly HIGHNOON, across various areas of activity.<ref name=":8" /> The use of the HIGHNOON malware was reported by FireEye and grouped under the APT 15 group (also known as Ke3chang, Vixen Panda, GREF, Playful Dragon).<ref name=":0" /> However, this was later found to be the work of multiple Chinese groups which share tools and strategies. A digital certificate distributed by video game company [[YNK Korea|YNK Japan]] was used by APT 41, as well as other APT groups such as APT 17 and APT 20.<ref name=":0" /> A digital certificate allegedly from the [[Microsoft]] Certificate Authority was also used by APT 41 and APT 40.<ref name=":0" /> Non-public malware used by APT 41 is linked to other alleged Chinese state-sponsored groups, which may indicate that APT 41 has shared resources with other groups.<ref name=":0" /><ref name=":9" />
APT 41 has overlaps in activity with public reporting on other groups such as Barium and Winnti.<ref name=":8" /> In terms of technique, there are many overlaps in digital certificates and malware. According to FireEye, one of the most prominent similarities is the use of similar malware, particularly HIGHNOON, across various areas of activity.<ref name=":8" /> The use of the HIGHNOON malware was reported by FireEye and grouped under the APT 15 group (also known as Ke3chang, Vixen Panda, GREF, Playful Dragon).<ref name=":0" /> However, this was later found to be the work of multiple Chinese groups which share tools and strategies. A digital certificate distributed by video game company [[YNK Korea|YNK Japan]] was used by APT 41, as well as other APT groups such as APT 17 and APT 20.<ref name=":0" /> A digital certificate allegedly from the [[Microsoft]] [[Certificate authority|Certificate Authority]] was also used by APT 41 and APT 40.<ref name=":0" /> Non-public malware used by APT 41 is linked to other alleged Chinese state-sponsored groups, which may indicate that APT 41 has shared resources with other groups.<ref name=":0" /><ref name=":9" />


== See also ==
== See also ==
Line 119: Line 126:
* [[Red Apollo]]
* [[Red Apollo]]
* [[APT40]]
* [[APT40]]

== Notes ==
{{Notelist}}


== References ==
== References ==
{{Reflist}}
{{Reflist}}



{{Hacking in the 2010s}}
{{Hacking in the 2010s}}
{{MSS}}
{{authority control}}

[[Category:Cyberespionage units of the Ministry of State Security (China)]]
[[Category:Cyberespionage units of the Ministry of State Security (China)]]
[[Category:Chinese advanced persistent threat groups]]
[[Category:Chinese advanced persistent threat groups]]
[[Category:Hacker groups]]
[[Category:Hacking in the 2010s]]
[[Category:Hacking in the 2010s]]
[[Category:Hacking in the 2020s]]
[[Category:Hacking in the 2020s]]
[[Category:Information technology in China]]
[[Category:Information technology in China]]
[[Category:Cyberwarfare by China]]
[[Category:Cybercrime in India]]
[[Category:China–India relations]]

Latest revision as of 15:03, 17 December 2024

Double Dragon[a] is a hacker group with alleged ties to the Chinese Ministry of State Security (MSS).[4] Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.[5][6][7][8]

In 2019, the cybersecurity company FireEye stated with high confidence that the group was sponsored by the Chinese Communist Party (CCP) while conducting operations for financial gain.[9] The name "Double Dragon" originates from the duality of their operation, as they engage in espionage and individual financial gain.[10] The devices they use are usually used for state-sponsored intelligence.

Investigations conducted by FireEye have found APT 41 operations in multiple sectors, such as healthcare, telecommunications, and technology.[9] The group conducts many of its financial activities in the video game industry, including development studios, distributors, and publishers.[11]

Double Dragon
Formation2012
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare, Cybercrime
Region
China
Methodsspearphishing, malware, supply chain attack
Official language
Mandarin
OwnerMinistry of State Security
Formerly called
APT 41, Barium, Winnti, Wicked Spider, Wicked Panda, TG-2633, Bronze Atlas, Red Kelpie, Blackfly

Associated personnel

[edit]
An FBI wanted poster for 5 Chinese hackers associated with APT 41

In their earlier activities, APT 41 has used domains registered to the monikers "Zhang Xuguang" (simplified Chinese: 张旭光) and "Wolfzhi". These online personas are associated with APT 41's operations and specific online Chinese language forums, although the number of other individuals working for the group is unknown.[9] "Zhang Xuguang" has activity on the online forum Chinese Hackers Alliance (simplified Chinese: 华夏黑 客同盟). Information related to this individual includes his year of birth, 1989, and his former living in Inner Mongolia of PRC.[12] The persona has also posted on a forum regarding the Age of Wushu online game, using the moniker "injuriesa" in 2011.[9] Emails and online domains associated with "Wolfzhi" also lead to a data science community profile. Forum posts also suggest that the individual is from Beijing or the nearby province, Hebei.[9][12]

The FBI has issued wanted posters for Haoran Zhang, Dailin Tan, Chuan Qian, Qiang Fu, and Lizhi Jiang, whom they have found to be linked with APT 41.[1] Zhang and Tan were indicted on August 15, 2019, by the Grand jury in the District of Columbia for charges associated with hacking offences, such as unauthorized access to protected computers, aggravated identity theft, money laundering and wire fraud.[13] These actions were conducted on high-tech companies, video-game companies and six unnamed individuals from the United States and the United Kingdom while the two worked together. The FBI also charged Qian, Fu, and Jiang on August 11, 2020, for racketeering, money laundering, fraud, and identity theft.[13] All three individuals were part of the management team of the Chengdu 404 Network Technology company, where the three and coworkers planned cyber attacks against companies and individuals in industries like communications, media, security, and government.[14] Such operations were to occur in countries like the United States, Brazil, Germany, India, Japan, Sweden, Indonesia, Malaysia, Pakistan, Singapore, South Korea, Taiwan, and Thailand.[1]

In August 2020, Wong Ong Hua and Ling Yang Ching, were both charged with racketeering, conspiracy, identity theft, aggravated identity theft and fraud among others.[1] The United States Department of Justice says that the two Malaysian businessmen were working with the Chinese hackers to target video game companies in the United States, France, South Korea, Japan and Singapore and profit from these operations.[15] These schemes, particularly a series of computer intrusions involving gaming industries, were conducted under the Malaysian company Sea Gamer Mall, which was founded by Wong.[1] On September 14, 2020, Malaysian authorities arrested both individuals in Sitawan.[1]

Ties with the Chinese government

[edit]

APT 41's operations are described as "moonlighting" due to their balance of espionage supported by the Chinese state and financially motivated activities outside of state authorization in their downtime.[9][16][17] As such, it is harder to ascertain whether particular incidents are state-directed or not.[18] The organization has conducted multiple operations against 14 countries, most notably the United States. Such activities include incidents of tracking, the compromising of business supply chains, and collecting surveillance data.[19] In 2022, APT 41 was linked to theft of at least $20 million in COVID-19 relief aid in the U.S.[20]

APT 41 uses cyber-espionage malware typically kept exclusive to the Chinese government.[21] This characteristic is common for other advanced persistent threats, as this allows them to derive information to spy on high-profile targets or make contact with them to gain information that benefits national interest.[22] APT 41 relation to the Chinese state can be evidenced by the fact that none of this information is on the dark web and may be obtained by the CCP.[23]

APT 41 targeting is consistent with the Chinese government's national plans to move into high research and development fields and increase production capabilities. Such initiatives coincide with the Chinese government's "Made in China 2025" plan, aiming to move Chinese production into high-value fields such as pharmacy, semi-conductors, and other high-tech sectors.[9][24]

FireEye has also evaluated with moderate confidence that APT 41 may engage in contract work associated with the Chinese government. Identified personas associated with the group have previously advertised their skills as hackers for hire. Their usage of HOMEUNIX and PHOTO in their personal and financially motivated operations, which are malware inaccessible to the public used by other state-sponsored espionage actors also evidences this stance.[9] It is also recognized in China that more skilled hackers tend to work in the private sector under government contracts due to the higher pay.[25] The FireEye report also noted that the Chinese state has depended on contractors to assist with other state operations focused on cyber-espionage, as demonstrated by prior Chinese advanced persistent threats like APT 10.[9][26] APT 41 is viewed by some as potentially made up of skilled Chinese citizens, who are used and employed by the Chinese government, leading to the assumptions that members of the group often work two jobs, which is supported by their operating hours.[9][27]

Techniques

[edit]

The operating techniques of APT 41 are distinct, particularly in their usage of passive backdoors compared to traditional ones. While traditional backdoors used by other advanced persistent threats are easily detectable, this technique is often much harder to identify.[9] Techniques applied in financially motivated APT 41 activity also include software supply-chain compromises. This has allowed them to implement injected codes into legitimate files to be distributed, which endanger other organizations by stealing data and altering systems.[28] Sophisticated malware is often deployed as well to remain undetected while extracting data.[27] Bootkits are also a type of malware used by the group, which is both difficult to detect and harder to find among other cyber espionage and cybercrime groups, making it harder for security systems to detect malicious code.[9] They also used Deadeye launcher and Lowkey malware to perform instant reconnaissance while remaining undetected.[29]

Spear-phishing emails are regularly used by APT 41 across both cyber espionage and financial attacks.[11] The group has sent many misleading emails which attempt to take information from high-level targets after gathering personal data to increase the likelihood of success.[30] Targets have varied from media groups for espionage activities to bitcoin exchanges for financial gain.[9]

Activities

[edit]

Espionage activity

APT 41's targeting is deemed by FireEye to correlate with China's national strategies and goals, particularly those regarding technology.[9][27][31] The targeting of tech firms align with Chinese interest in developing high-tech instruments domestically, as demonstrated by the 12th and 13th Five-Year Plans.[9] The attack on organizations in various different sectors is believed by FireEye to be indicative of APT 41 fulfilling specifically assigned tasks. Campaigns attributed to APT 41 also demonstrates that the group is used to obtain information before major political and financial events.[9][31] They have attacked companies in 14 different countries (and Hong Kong) including France, India, Italy, Japan, Myanmar, the Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, the United Kingdom, and the United States.[32] They have also been discovered in several different industries, including healthcare, telecommunications, and technology.[32]

The German company TeamViewer AG, behind the popular software of the same name which allowed system control remotely, was hacked in June 2016 by APT 41 according to a FireEye security conference.[33] The group was able to access the systems of TeamViewer users around the world and obtain management details and information regarding businesses.[33] In 2021 APT 41 launched several phishing scams in India that were found by the BlackBerry Research and Intelligence. They also stole data relating to new tax legislation and COVID-19 records and statistics. The group masked their identity to be the Indian government so that they would remain undetected.[34]

Financially motivated activities

APT 41 has targeted the video-game industry for the majority of its activity focused on financial gain.[9] Chinese internet forums indicated that associated members linked to APT 41 have advertised their hacking skills outside of Chinese office hours for their own profits.[27] In one FireEye reported case, the group was able to generate virtual game currency and sell it to buyers through underground markets and laundering schemes,[1][9][19] which could have been sold for up to US$300,000.[31] Although it is not a typical method used by the group for collecting money, APT 41 also attempted to deploy ransomware to profit from their operations.[9]

FireEye reports that because most of APT 41's financially motivated activity occurs later in the night or early in the morning, this could mean that these activities are completely unrelated to their espionage activities.[9] FireEye reports that APT 41's activities are on average between 10:00 to 23:00 China Standard Time, which is typical for Chinese tech workers who follow a "996" work schedule.[9]

APT 41 uses digital certificates obtained from video game developers and producers to sign their malware.[1][35] Through the application of over 19 different digital certificates, they target both gaming and non-gaming organizations to avoid detection and ensure compatibility with the systems of the target.[9] In 2012, a certificate from a South Korean game publisher was leveraged by APT 41 to sign the malware they use against other members of the gaming industry.[9] In 2021 APT 41 launched a series of attacks against the illegal gambling industry in China.[36]

U.S. Department of Justice

[edit]

On September 16, 2020, the United States Department of Justice released previously sealed charges against 5 Chinese and 2 Malaysian citizens for hacking more than 100 companies across the world.[1][37] These include firms involved in social-media, universities, telecommunications providers, software development, computer hardware, video-games, non-profit organizations, think tanks, foreign governments, and pro-democracy supporters in Hong Kong.[1][38] The attacks were said to have involved the theft of code, code signing certificates, customer data and business information.[37] Deputy Attorney General Jeffrey Rosen says that these actions involved having the hackers plant "back-doors" into software which allowed direct access to the systems of the software provider's company.[39] Two of the Chinese hackers also conducted attacks on the US gaming industry, which involved at least 6 companies in New York, Texas, Washington, Illinois, California, and the United Kingdom.[37]

The U.S. District Court for the District of Columbia distributed warrants calling for the seizure of accounts, servers, domain names, and web pages used by the hackers to conduct their operations. The FBI had the responsibility of executing the warrants as well as other private sector companies.[1] Microsoft also developed technical measures to prevent continued access to computer systems of victims. The Federal Bureau of Investigation released a report containing technical information that can be used by private sector groups.[1]

The Justice Department congratulated the Malaysian government, particularly the Attorney General's Chambers of Malaysia and the Royal Malaysia Police, in cooperating and aiding their arrest of the two Malay nationals, particularly since difficulties lie in arresting foreign hackers in general.[1][38] The press release mentioned Microsoft, Google, Facebook and Verizon Media as groups which helped their investigation.[1] The FBI also credited the Taiwanese Ministry of Justice Investigation Bureau, which helped provide information to US authorities after discovering APT 41 servers set up in California.[40][41]

Contrastingly, Rosen criticized the Chinese Communist Party in their inaction when it came to assisting the FBI for the arrest of the 5 Chinese hackers associated with APT 41.[38][39] Rosen also claimed that the Chinese Communist Party was "making China safe for their cyber criminals" as they continue to assist them in espionage.[39] Chinese Foreign Ministry spokesman Wang Wenbin says that the US uses its own cybersecurity issues to "attack China" through spreading false information, and political manipulation.[37]

This announcement was made during President Donald Trump's re-election campaign, associating the Chinese Communist Party with various cyber-espionage attacks. Alongside Russia and Iran, China was identified in a national threat assessment to the election.[39][42]

[edit]

APT 41 has overlaps in activity with public reporting on other groups such as Barium and Winnti.[2] In terms of technique, there are many overlaps in digital certificates and malware. According to FireEye, one of the most prominent similarities is the use of similar malware, particularly HIGHNOON, across various areas of activity.[2] The use of the HIGHNOON malware was reported by FireEye and grouped under the APT 15 group (also known as Ke3chang, Vixen Panda, GREF, Playful Dragon).[9] However, this was later found to be the work of multiple Chinese groups which share tools and strategies. A digital certificate distributed by video game company YNK Japan was used by APT 41, as well as other APT groups such as APT 17 and APT 20.[9] A digital certificate allegedly from the Microsoft Certificate Authority was also used by APT 41 and APT 40.[9] Non-public malware used by APT 41 is linked to other alleged Chinese state-sponsored groups, which may indicate that APT 41 has shared resources with other groups.[9][17]

See also

[edit]

Notes

[edit]
  1. ^ Other names include APT41, BARIUM, Axiom, Winnti, Wicked Panda, Wicked Spider,[1] TG-2633, Bronze Atlas, Red Kelpie, Blackfly,[2] or Brass Typhoon[3]

References

[edit]
  1. ^ a b c d e f g h i j k l m n "Seven International Cyber Defendants, Including "Apt41" Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally" (Press release). Washington. United States Department of Justice. September 16, 2020. Archived from the original on December 6, 2022. Retrieved April 20, 2021.
  2. ^ a b c "APT 41 – Threat Group Cards: A Threat Actor Encyclopedia". apt.thaicert.or.th. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  3. ^ "How Microsoft names threat actors". Microsoft. Retrieved January 21, 2024.
  4. ^ Volz, Dustin (March 8, 2022). "U.S. State Governments Hit in Chinese Hacking Spree". The Wall Street Journal. ISSN 0099-9660. Archived from the original on March 10, 2022. Retrieved March 10, 2022.
  5. ^ Cimpanu, Catalin. "US charges five hackers from Chinese state-sponsored group APT41". ZDNet. Archived from the original on September 16, 2020. Retrieved September 17, 2020.
  6. ^ "FBI Deputy Director David Bowdich's Remarks at Press Conference on China-Related Cyber Indictments". Federal Bureau of Investigation. Archived from the original on September 17, 2020. Retrieved September 17, 2020.
  7. ^ Rodzi, Nadirah H. (September 17, 2020). "Malaysian digital game firm's top execs facing extradition after US accuses them of cyber crimes". The Straits Times. Archived from the original on September 18, 2020. Retrieved September 17, 2020.
  8. ^ Yong, Charissa (September 16, 2020). "China acting as a safe haven for its cyber criminals, says US". The Straits Times. Archived from the original on September 17, 2020. Retrieved September 17, 2020.
  9. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa APT41: A Dual Espionage and Cyber Crime Operation (Report). FireEye. August 7, 2019. Archived from the original on May 7, 2021. Retrieved April 20, 2020.
  10. ^ "[Video] State of the Hack: APT41 – Double Dragon: The Spy Who Fragged Me". FireEye. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  11. ^ a b Kendzierskyj, Stefan; Jahankhani, Hamid (2020), Critical National Infrastructure, C4ISR and Cyber Weapons in the Digital Age, Advanced Sciences and Technologies for Security Applications, Cham: Springer International Publishing, pp. 3–21, doi:10.1007/978-3-030-35746-7_1, ISBN 978-3-030-35745-0, S2CID 216513092, retrieved May 25, 2021
  12. ^ a b Eddy, Max (August 7, 2019). "APT41 Is Not Your Usual Chinese Hacker Group". PCMag Australia. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  13. ^ a b "Chinese and Malaysian hackers charged by US over attacks". BBC News. September 16, 2020. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  14. ^ Geller, Eric (September 16, 2020). "U.S. charges 5 Chinese hackers, 2 accomplices with broad campaign of cyberattacks". POLITICO. Archived from the original on December 2, 2022. Retrieved May 29, 2021.
  15. ^ "DOJ says five Chinese nationals hacked into 100 U.S. companies". NBC News. September 16, 2020. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  16. ^ Steffens, Timo (2020), "Advanced Persistent Threats", Attribution of Advanced Persistent Threats, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 3–21, doi:10.1007/978-3-662-61313-9_1, ISBN 978-3-662-61312-2, S2CID 226742586, retrieved May 25, 2021
  17. ^ a b Bing, Joseph Menn, Jack Stubbs, Christopher (August 7, 2019). "Chinese government hackers suspected of moonlighting for profit". Reuters. Archived from the original on May 31, 2021. Retrieved May 29, 2021.{{cite news}}: CS1 maint: multiple names: authors list (link)
  18. ^ Bateman, Jon. War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions. Carnegie Endowment for International Peace. OCLC 1229752520.
  19. ^ a b Kianpour, Mazaher (2021). "Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property – The Case of APT41". arXiv:2103.04901 [cs.CR].
  20. ^ Fitzpatrick, Sarah; Ramgopal, Kit (December 5, 2022). "Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says". NBC News. Archived from the original on December 5, 2022. Retrieved December 5, 2022.
  21. ^ Naughton, Liam; Daly, Herbert (2020), Augmented Humanity: Data, Privacy and Security, Advanced Sciences and Technologies for Security Applications, Cham: Springer International Publishing, pp. 73–93, doi:10.1007/978-3-030-35746-7_5, ISBN 978-3-030-35745-0, S2CID 216436285, retrieved May 25, 2021
  22. ^ Lightfoot, Katie (2020). Examining Chinese Cyber-Attacks: Targets and Threat Mitigations (Msc). Utica College. ProQuest 2478472331. Archived from the original on March 31, 2022. Retrieved May 25, 2021.
  23. ^ Chen, Ming Shen (2019). "China's Data Collection on US Citizens:Implications, Risks, and Solutions" (PDF). Journal of Science Policy & Governance. 15. Archived (PDF) from the original on January 27, 2021. Retrieved May 25, 2021.
  24. ^ "Potential for China Cyber Response to Heightened U.S.–China Tensions" (Press release). Rosslyn. Cybersecurity and Infrastructure Security Agency. October 1, 2020. Archived from the original on April 20, 2021. Retrieved April 20, 2021.
  25. ^ Wong, Edward (May 22, 2013). "Hackers Find China Is Land of Opportunity". The New York Times. ISSN 0362-4331. Archived from the original on May 25, 2021. Retrieved May 25, 2021.
  26. ^ Lyall, Nicholas (March 1, 2018). "China's Cyber Militias". thediplomat.com. Archived from the original on March 2, 2018. Retrieved May 25, 2021.
  27. ^ a b c d Australian Universities under Attack: A CiLab PACE Project (PDF) (Report). Macquarie University. 2020. Archived (PDF) from the original on May 4, 2021.
  28. ^ Kim, Bong-Jae; Lee, Seok-Won (2020). "Understanding and recommending security requirements from problem domain ontology: A cognitive three-layered approach". Journal of Systems and Software. 169: 110695. doi:10.1016/j.jss.2020.110695. ISSN 0164-1212. S2CID 221592911.
  29. ^ capsnetdroff (August 4, 2022). "Decoding Chinese Hacking Syndicate – APT 41". CAPS India. Archived from the original on May 2, 2023. Retrieved May 2, 2023.
  30. ^ O'Leary, Daniel E. (2019). "What Phishing E-mails Reveal: An Exploratory Analysis of Phishing Attempts Using Text Analyzes". SSRN Electronic Journal. doi:10.2139/ssrn.3427436. ISSN 1556-5068. S2CID 239250225. Archived from the original on March 21, 2021. Retrieved May 25, 2021.
  31. ^ a b c Doffman, Zak. "Spies By Day, Thieves By Night—China's Hackers Using Espionage Tools For Personal Gain: Report". Forbes. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  32. ^ a b XTI, SOCRadar (March 15, 2022). "Deep Web Profile: APT41/Double Dragon". SOCRadar Cyber Intelligence Inc. Archived from the original on May 2, 2023. Retrieved May 2, 2023.
  33. ^ a b Hu, Chunhui; Zhang, Ling; Luo, Xian; Chen, Jianfeng (April 15, 2020). "Research of Global Strategic Cyberspace Security Risk Evaluation System Based on Knowledge Service". Proceedings of the 2020 3rd International Conference on Geoinformatics and Data Analysis. Icgda 2020. New York, NY, USA: ACM. pp. 140–146. doi:10.1145/3397056.3397084. ISBN 978-1-4503-7741-6. S2CID 220281616.
  34. ^ capsnetdroff (August 4, 2022). "Decoding Chinese Hacking Syndicate – APT 41". CAPS India. Archived from the original on May 2, 2023. Retrieved May 2, 2023.
  35. ^ "Software Supply Chain Attacks | CISA". www.cisa.gov. May 20, 2021. Archived from the original on May 24, 2021. Retrieved May 29, 2021.
  36. ^ Starks, Tim (July 12, 2021). "Suspected Chinese hackers return with unusual attacks on domestic gambling companies". www.cyberscoop.com. Cyberscoop. Archived from the original on July 17, 2021. Retrieved July 17, 2021.
  37. ^ a b c d "DOJ Indicts Chinese Hackers for Break-Ins at 100 Companies (3)". news.bloomberglaw.com. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  38. ^ a b c O’Keeffe, Dustin Volz, Aruna Viswanatha and Kate (September 16, 2020). "U.S. Charges Chinese Nationals in Cyberattacks on More Than 100 Companies". Wall Street Journal. ISSN 0099-9660. Archived from the original on June 2, 2021. Retrieved May 29, 2021.{{cite news}}: CS1 maint: multiple names: authors list (link)
  39. ^ a b c d Johnson, Kevin. "5 Chinese citizens at large, 2 Malaysian suspects arrested in global hacking campaign targeting gaming". USA TODAY. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  40. ^ "Taiwan, US nail Chinese hackers behind mass cyberattacks". Taiwan News. September 18, 2020. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  41. ^ "FBI agent thanks Taiwan for help in indicting Chinese hackers – Focus Taiwan". focustaiwan.tw (in Chinese). September 18, 2020. Archived from the original on June 2, 2021. Retrieved May 29, 2021.
  42. ^ Evanina, William (August 7, 2020). "STATEMENT BY NCSC DIRECTOR WILLIAM EVANINA: ELECTION THREAT UPDATE FOR THE AMERICAN PUBLIC" (Press release). Office of the Director of National Intelligence. Archived from the original on November 19, 2020. Retrieved May 29, 2021.