Security Experts:

Connect with us

Hi, what are you looking for?



China’s Winnti Group Hacked at Least 13 Organizations in 2021: Security Firm

Chinese state-sponsored threat group Winnti compromised at least 13 organizations globally in 2021, spanning across multiple sectors, cybersecurity firm Group-IB says.

Chinese state-sponsored threat group Winnti compromised at least 13 organizations globally in 2021, spanning across multiple sectors, cybersecurity firm Group-IB says.

Also referred to as APT41, Barium, Blackfly, Double Dragon, Wicked Panda, and Wicked Spider, the Winnti group has been active since at least 2007, engaging in both cyberespionage operations and financially motivated attacks.

In September 2020, the US Department of Justice announced charges against five Chinese nationals believed to be part of the Winnti group, who allegedly launched attacks against over 100 organizations in the US and abroad.

Despite the indictment and numerous public reports detailing the group’s activities, the hackers continued their operations. In March 2022, Mandiant detailed the hacking of at least six US state government organizations between May 2021 and February 2022.

In a new report, Group-IB provides a broader perspective on the group’s activities throughout 2021: the hackers compromised at least 13 organizations, often targeting SQL injection vulnerabilities in web applications, but deploying a custom Cobalt Strike Beacon in each case.

Targets included airlines, consulting, education, finance, government, hospitality, healthcare, logistics, manufacturing, media, software, sports, telecommunications, and travel organizations in Bangladesh, Brunei, China, India, Indonesia, Ireland, Hong Kong, Mongolia, Thailand, Taiwan, Vietnam, the US, and the UK.

As part of these attacks, the threat actor performed reconnaissance using tools such as vulnerability scanners (Acunetix, JexBoss), network scanners (Nmap), and brute-forcing utilities (OneForAll, Sqlmap, subdomain3, subDomainsBrute, and Sublist3r). They also used, a Chinese equivalent of, for gathering information on open ports and running services.

The attackers performed SQL injections against 43 web applications (out of 86 they probed) to access the command shell of the targeted servers and gain command execution capabilities. Task Scheduler and Windows services were used to achieve persistence.

Group-IB grouped the observed activity into four malicious campaigns, based on the domain names that were used in each of them: ColunmTK, DelayLinkTK, Gentle-Voice, and Mute-Pond.

As part of most of the observed campaigns, the attackers used a Windows utility called Ntdsutil to obtain the ntds.dit file, which stores Active Directory data, including user credentials. The hackers were also observed mapping the victim’s network and performing lateral movement.

After gaining access to server configurations, backup data, and user data, the cyberspies proceeded to exfiltrate information of interest, but Group-IB believes that they “did not exfiltrate a large amount of confidential documents.”

Related: China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report

Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign

Related: New Winnti Backdoor Targets Microsoft SQL

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.