Gorodenkoff - stock.adobe.com

FireEye identifies dual nature Chinese cyber threat group

Security researchers have identified a China-based cyber threat group engaged in state-spored espionage in parallel with cyber criminal activities targeting multiple industries worldwide

A Chinese advanced persistent threat (APT) group dubbed APT41 is targeting organisations in the healthcare, gaming, high tech and media industries in 15 jurisdictions, say researchers at security firm FireEye.

The group, believed to have been operational for more than seven years, is unique among China-based actors because it uses tools that are typically reserved for espionage campaigns for activity that appears to be for personal gain, and therefore criminal in nature.

“APT41 is as agile as its members are skilled and well-resourced,” said Sandra Joyce, senior vice-president of global threat intelligence at FireEye.

“Their aggressive and persistent operations for both espionage and cyber crime purposes distinguish APT41 from other adversaries and make them a major threat across multiple industries.”

FireEye has observed individual members of APT41 conducting primarily financially motivated operations since 2012 before expanding into likely state-sponsored activity, using the same tools and tactics for both.

The group is known to use more than 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group.

Evidence suggests that these two motivations were behind the group’s activities from 2014, focusing on organisations in the UK, US, France, India, Italy, Japan, Myanmar, the Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey and Hong Kong.

Espionage campaigns have targeted healthcare, high tech, and telecommunications sectors with the purpose of collecting strategic intelligence and the theft of intellectual property.

In one instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

Financially motivated cyber crime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies and ransomware deployment attempts.

The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware, the researchers said.

They also highlight the fact that APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organisations.

“These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns, the researchers said in a blog post.

Read more about APT groups

FireEye notes that, like other attackers, APT groups try to steal data, disrupt operations or destroy infrastructure. But unlike most cyber criminals, APT attackers pursue their objectives over months or years. They also tend to adapt to cyber defences and frequently retarget the same victim.

According to FireEye, all enterprise security teams should be aware of the most active APT groups and take extra precautions when they detect malware linked to previous APT attacks.

The security firm also highlights that every organisation that is connected to the internet is a potential APT target, and not just government organisations and defence contractors.

Another significant characteristic of APT41 identified by FireEye is that the group quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organisation’s network.

In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks, the researchers said.

FireEye researchers note that APT41 partially coincides with public reporting on groups including BARIUM by Microsoft and Winnti by KasperskyESET and Clearsky.

APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them, the researchers said.

“It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.”

Read more on Hackers and cybercrime prevention