Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

China’s Winnti Group Hacked at Least 13 Organizations in 2021: Security Firm

Chinese state-sponsored threat group Winnti compromised at least 13 organizations globally in 2021, spanning across multiple sectors, cybersecurity firm Group-IB says.

Chinese state-sponsored threat group Winnti compromised at least 13 organizations globally in 2021, spanning across multiple sectors, cybersecurity firm Group-IB says.

Also referred to as APT41, Barium, Blackfly, Double Dragon, Wicked Panda, and Wicked Spider, the Winnti group has been active since at least 2007, engaging in both cyberespionage operations and financially motivated attacks.

In September 2020, the US Department of Justice announced charges against five Chinese nationals believed to be part of the Winnti group, who allegedly launched attacks against over 100 organizations in the US and abroad.

Despite the indictment and numerous public reports detailing the group’s activities, the hackers continued their operations. In March 2022, Mandiant detailed the hacking of at least six US state government organizations between May 2021 and February 2022.

In a new report, Group-IB provides a broader perspective on the group’s activities throughout 2021: the hackers compromised at least 13 organizations, often targeting SQL injection vulnerabilities in web applications, but deploying a custom Cobalt Strike Beacon in each case.

Targets included airlines, consulting, education, finance, government, hospitality, healthcare, logistics, manufacturing, media, software, sports, telecommunications, and travel organizations in Bangladesh, Brunei, China, India, Indonesia, Ireland, Hong Kong, Mongolia, Thailand, Taiwan, Vietnam, the US, and the UK.

As part of these attacks, the threat actor performed reconnaissance using tools such as vulnerability scanners (Acunetix, JexBoss), network scanners (Nmap), and brute-forcing utilities (OneForAll, Sqlmap, subdomain3, subDomainsBrute, and Sublist3r). They also used fofa.su, a Chinese equivalent of shodan.io, for gathering information on open ports and running services.

The attackers performed SQL injections against 43 web applications (out of 86 they probed) to access the command shell of the targeted servers and gain command execution capabilities. Task Scheduler and Windows services were used to achieve persistence.

Advertisement. Scroll to continue reading.

Group-IB grouped the observed activity into four malicious campaigns, based on the domain names that were used in each of them: ColunmTK, DelayLinkTK, Gentle-Voice, and Mute-Pond.

As part of most of the observed campaigns, the attackers used a Windows utility called Ntdsutil to obtain the ntds.dit file, which stores Active Directory data, including user credentials. The hackers were also observed mapping the victim’s network and performing lateral movement.

After gaining access to server configurations, backup data, and user data, the cyberspies proceeded to exfiltrate information of interest, but Group-IB believes that they “did not exfiltrate a large amount of confidential documents.”

Related: China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report

Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign

Related: New Winnti Backdoor Targets Microsoft SQL

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.