Jump to content

US charges 5 Chinese and 2 Malaysian hackers as part of group APT41

Recommended Posts

Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally



Two Defendants Arrested in Malaysia; Remaining Five Defendants, One of Whom Allegedly Boasted of Connections to the Chinese Ministry of State Security, are Fugitives in China

In August 2019 and August 2020, a federal grand jury in Washington, D.C., returned two separate indictments charging five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.

 The intrusions, which security researchers have tracked using the threat labels “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider,” facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information.  These intrusions also facilitated the defendants’ other criminal schemes, including ransomware and “crypto-jacking” schemes, the latter of which refers to the group’s unauthorized use of victim computers to “mine” cryptocurrency. 

Also in August 2020, the same federal grand jury returned a third indictment charging two Malaysian businessmen who conspired with two of the Chinese hackers to profit from computer intrusions targeting the video game industry in the United States and abroad.  Shortly thereafter, the U.S. District Court for the District of Columbia issued arrest warrants for the two businessmen.  On Sept. 14, 2020, pursuant to a provisional arrest request from the United States with a view to their extradition, Malaysian authorities arrested them in Sitiawan.  The department appreciates the significant cooperation and assistance provided by the Government of Malaysia, including the Attorney General’s Chambers of Malaysia and the Royal Malaysia Police.

In addition to arrest warrants for all of the charged defendants, in September 2020, the U.S. District Court for the District of Columbia issued seizure warrants that resulted in the recent seizure of hundreds of accounts, servers, domain names, and command-and-control (C2”) “dead drop” web pages used by the defendants to conduct their computer intrusion offenses.  The FBI executed the warrants in coordination with other actions by several private-sector companies, which included disabling numerous accounts for violations of the companies’ terms of service.  In addition, in partnership with the department, Microsoft developed and implemented technical measures to block this threat actor from accessing victims’ computer systems.  The actions by Microsoft were a significant part of the overall effort to deny the defendants continued access to hacking infrastructure, tools, accounts, and command and control domain names.  In coordination with today’s announcement, the FBI has also released a Liaison Alert System (FLASH) report that contains critical, relevant technical information collected by the FBI for use by specific private-sector partners.

“The department of Justice has used every tool available to disrupt the illegal computer intrusions and cyberattacks by these Chinese citizens,” said Deputy Attorney General Jeffrey A. Rosen.  “Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China.”

 “Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and coordinated private sector protective actions reveal yet again the department’s determination to use all of the tools at its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,” said Assistant Attorney General John C. Demers.  “This is the only way to neutralize malicious nation state cyber activity.”

“Today’s announcement demonstrates the ramifications faced by the hackers in China but it is also a reminder to those who continue to deploy malicious cyber tactics that we will utilize every tool we have to administer justice,” said FBI Deputy Director David Bowdich. “The arrests in Malaysia are a direct result of partnership, cooperation and collaboration. As the cyber threat continues to evolve larger than any one agency can address, the FBI remains committed to being an indispensable partner to our federal, international and private sector partners to stop rampant cyber crime and hold those carrying out these kind of actions accountable.”





Suspected attribution: China

Target sectors: APT41 has directly targeted organizations in at least 14 countries dating back to as early as 2012. The group’s espionage campaigns have targeted healthcare, telecoms, and the high-tech sector, and have historically included stealing intellectual property. Their cyber crime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies, and attempted deployment of ransomware. APT41operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance.

Overview: APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.

Associated malware: APT41 has been observed using at least 46 different code families and tools.

Attack vectors: APT41 often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits. APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems.


Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
  • Thanks 1
Link to post
Share on other sites
  • David H. Lipman changed the title to US charges 5 Chinese and 2 Malaysian hackers as part of group APT41

So the Chinese security services are spying on companies, and on you.

Along with the NSA, GCHQ, Mossad, GRU/FSB/SVR, etc., etc.

The security services of all countries all spy on other countries businesses and citizens, and on their own business and citizens.

"Our dedicated security operatives monitoring the world to keep our way of life safe"; AKA spies to all those who are being monitored.

Where it's against the law to spy on your own citizens, they'll help one another out.
ie. GCHQ aren't supposed to spy on UK citizens - so the NSA spy on UK citizens and then share the info with GCHQ, and vice-versa.
One of the USA's biggest communication interception (spying) facilities is based at Menwith Hill, Yorkshire, UK. They intercept computer traffic, emails, phone calls, radio messages, etc., etc.
(It's slightly too big to call it a secret base, it can be easily seen from the main road).

(Not being suspicious of motives here, but Trumps obsession/attacks on China do divert attention from his own seemingly too cosy relationships with Russia).

Rant over. :ph34r:

Link to post
Share on other sites

It is now a well known fact that State Security Services and Military contract their respective country's hacker community members to assist in data and credential harvesting as well as monetary and intellectual property theft.  These joint venture Advanced Persistent Threats (APT) are assigned an APT number and may also be assigned a moniker such as Fancy Bear (APT28) and Cozy Bear (APT29).

Cozy Bear compromised the two US Political Party committees prior to the 2016 election.  For one they released data publicly through Wikileaks to subvert that Party.  The other Political Party's harvested data was kept private but was passed along and is now used for political leverage and held over that Political Party's head like the Sword of Damacles.

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
  • Thanks 1
Link to post
Share on other sites

I think the point is that every countries security service is spying on everyone that they can.

We all know it and there is not a lot we can do about it.

It only hits the headlines when somebody want's to make a political point to divert attention.

(Failing election campaigns are an obvious reason to try and cause a distraction).

Link to post
Share on other sites

I'm far more concerned about the corporations/websites/applications/operating systems/computing/mobile devices etc. collecting data and what will happen once true AI goes online, potentially capable of hacking into and seamlessly accessing every bit of data from every server on the web, capable of identifying patterns, trends and cooking up social engineering techniques no human beings ever could.

Also bear in mind that governments don't need to spy directly when the likes of Microsoft, Google, Amazon and Facebook are perfectly capable of collecting it for them (along with our ISPs) since all they need to do is send a letter (no warrant, no judge required) to get all the data they want.  They don't need to tap your phone or perform an attack on your network when your cell provider and ISP are more than willing to fork over every bit of data on you anyway since they've been collecting it all along for their own marketing and telemetry purposes.

Link to post
Share on other sites

*** UPDATE ***  By Brian Krebs, KrebsonSecurity

Chinese Antivirus Firm Was Part of APT41 ‘Supply Chain’ Attack



One of the men indicted as part of APT41 — now 35-year-old Tan DaiLin — was the subject of a 2012 KrebsOnSecurity story that sought to shed light on a Chinese antivirus product marketed as Anvisoft. At the time, the product had been “whitelisted” or marked as safe by competing, more established antivirus vendors, although the company seemed unresponsive to user complaints and to questions about its leadership and origins.


Tan DaiLin, a.k.a. “Wicked Rose,” in his younger years. Image: iDefense

Anvisoft claimed to be based in California and Canada, but a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu in the Sichuan Province of China.

A review of Anvisoft’s website registration records showed the company’s domain originally was created by Tan DaiLin, an infamous Chinese hacker who went by the aliases “Wicked Rose” and “Withered Rose.” At the time of story, DaiLin was 28 years old.

That story cited a 2007 report (PDF) from iDefense, which detailed DaiLin’s role as the leader of a state-sponsored, four-man hacking team called NCPH (short for Network Crack Program Hacker). According to iDefense, in 2006 the group was responsible for crafting a rootkit that took advantage of a zero-day vulnerability in Microsoft Word, and was used in attacks on “a large DoD entity” within the USA.

“Wicked Rose and the NCPH hacking group are implicated in multiple Office based attacks over a two year period,” the iDefense report stated.

When I first scanned Anvisoft at Virustotal.com back in 2012, none of the antivirus products detected it as suspicious or malicious. But in the days that followed, several antivirus products began flagging it for bundling at least two trojan horse programs designed to steal passwords from various online gaming platforms.

Security analysts and U.S. prosecutors say APT41 operated out of a Chinese enterprise called Chengdu 404 that purported to be a network technology company but which served a legal front for the hacking group’s illegal activities, and that Chengdu 404 used its global network of compromised systems as a kind of dragnet for information that might be useful to the Chinese Communist Party.


Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
  • Like 2
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.