The United States Department of Justice on Wednesday announced indictments against five Chinese nationals believed to be part of a state-sponsored hacking group known as APT41.
Also known as Winnti, Barium, Wicked Panda and Wicked Spider, the hackers allegedly launched cyberattacks on more than 100 companies in the United States and abroad.
Their targets, the DoJ says, include software and video game companies, computer hardware makers, telecom providers, and social media organizations, but also governments, non-profit entities, universities, and think tanks, not to mention pro-democracy politicians and activists in Hong Kong.
In August 2019 and August 2020, a federal grand jury returned two separate indictments charging the five Chinese nationals with facilitating “theft of source code, software code signing certificates, customer account data, and valuable business information,” the DoJ revealed. The hackers also engaged in ransomware and crypto-jacking attacks.
The five residents of China that the U.S. announced charges against are all on the FBI’s most wanted list: Zhang Haoran, 35, Tan Dailin, 35, Jiang Lizhi, 35, Qian Chuan, 39, and Fu Qiang, 37.
They have been charged with multiple counts of conspiracy, aggravated identity theft, access device fraud, wire fraud, money laundering, and violations of the Computer Fraud and Abuse Act (CFAA), among others.
The August 2019 indictment alleges that Zhang and Tan targeted high-technology and similar organizations and video game companies.
The August 2020 indictment charges Jiang, Qian, and Fu with conducting the affairs of a Chinese company named Chengdu 404 Network Technology “through a pattern of racketeering activity involving computer intrusion offenses affecting over 100 victim companies, organizations, and individuals in the United States and around the world, including in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.”
Additionally, they gained access to foreign government computer networks in India and Vietnam, and also targeted similar networks in the United Kingdom. The hackers also launched a ransomware attack against a non-profit organization dedicated to addressing global poverty.
In their operations, the Chengdu 404 defendants employed techniques such as supply chain attacks, dead drops and publicly available exploits and tools. They allegedly targeted vulnerabilities such as CVE-2019-19781, CVE-2019-11510, CVE-2019-16920, CVE-2019-16278, CVE-2019-1652/CVE-2019-1653, and CVE-2020-10189.
A third indictment returned by the same federal jury in August 2020 charges Malaysian businessmen Wong Ong Hua, 46, and Ling Yang Ching, 32, for conspiring with two of the Chinese hackers. They were both arrested in Sitiawan, Malaysia, this week, on U.S. warrants issued in August 2020.
The two have been charged with “23 counts of racketeering, conspiracy, identity theft, aggravated identity theft, access device fraud, money laundering, violations of the CFAA, and falsely registering domain names,” the DoJ reveals.
Seizure warrants issued by the U.S. District Court for the District of Columbia have resulted in law enforcement taking control of hundreds of accounts, domain names, servers, and command and control (C&C) dead drop web pages that the defendants were leveraging in their operations.
“APT41 has been the most prolific Chinese threat actor tracked by Mandiant Threat Intelligence over the last year. This is a unique actor, who carries out global cyber espionage while simultaneously pursuing a criminal venture. Their activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into traditional espionage, most likely directed by the state. APT41’s ability to successfully blend their criminal and espionage operations is remarkable,” John Hultquist, Senior Director of Analysis, Mandiant Threat Intelligence, said in an emailed comment.
“In recent years they have focused heavily on telecommunications, travel, and hospitality sectors, which we believe are attempts to identify, monitor, and track individuals of interest, operations which could have serious, even physical consequences for some victims. They have also participated in efforts to monitor Hong Kong during recent democracy protests.
Though much of the intellectual property theft connected to this actor has declined in favor of other operations in recent years, they have continued to target medical institutions, suggesting they may still have an interest in medical technology,” Hultquist added.