Security Experts:

Connect with us

Hi, what are you looking for?



China’s Winnti Group Hacked at Least 13 Organizations in 2021: Security Firm

Chinese state-sponsored threat group Winnti compromised at least 13 organizations globally in 2021, spanning across multiple sectors, cybersecurity firm Group-IB says.

Chinese state-sponsored threat group Winnti compromised at least 13 organizations globally in 2021, spanning across multiple sectors, cybersecurity firm Group-IB says.

Also referred to as APT41, Barium, Blackfly, Double Dragon, Wicked Panda, and Wicked Spider, the Winnti group has been active since at least 2007, engaging in both cyberespionage operations and financially motivated attacks.

In September 2020, the US Department of Justice announced charges against five Chinese nationals believed to be part of the Winnti group, who allegedly launched attacks against over 100 organizations in the US and abroad.

Despite the indictment and numerous public reports detailing the group’s activities, the hackers continued their operations. In March 2022, Mandiant detailed the hacking of at least six US state government organizations between May 2021 and February 2022.

In a new report, Group-IB provides a broader perspective on the group’s activities throughout 2021: the hackers compromised at least 13 organizations, often targeting SQL injection vulnerabilities in web applications, but deploying a custom Cobalt Strike Beacon in each case.

Targets included airlines, consulting, education, finance, government, hospitality, healthcare, logistics, manufacturing, media, software, sports, telecommunications, and travel organizations in Bangladesh, Brunei, China, India, Indonesia, Ireland, Hong Kong, Mongolia, Thailand, Taiwan, Vietnam, the US, and the UK.

As part of these attacks, the threat actor performed reconnaissance using tools such as vulnerability scanners (Acunetix, JexBoss), network scanners (Nmap), and brute-forcing utilities (OneForAll, Sqlmap, subdomain3, subDomainsBrute, and Sublist3r). They also used, a Chinese equivalent of, for gathering information on open ports and running services.

The attackers performed SQL injections against 43 web applications (out of 86 they probed) to access the command shell of the targeted servers and gain command execution capabilities. Task Scheduler and Windows services were used to achieve persistence.

Group-IB grouped the observed activity into four malicious campaigns, based on the domain names that were used in each of them: ColunmTK, DelayLinkTK, Gentle-Voice, and Mute-Pond.

As part of most of the observed campaigns, the attackers used a Windows utility called Ntdsutil to obtain the ntds.dit file, which stores Active Directory data, including user credentials. The hackers were also observed mapping the victim’s network and performing lateral movement.

After gaining access to server configurations, backup data, and user data, the cyberspies proceeded to exfiltrate information of interest, but Group-IB believes that they “did not exfiltrate a large amount of confidential documents.”

Related: China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report

Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign

Related: New Winnti Backdoor Targets Microsoft SQL

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.