Connect with us

Hi, what are you looking for?



U.S. Charges Alleged Hackers of Chinese APT41 Group for Attacks on 100 Firms

Hackers of China's APT41 group charged

Hackers of China's APT41 group charged

The United States Department of Justice on Wednesday announced indictments against five Chinese nationals believed to be part of a state-sponsored hacking group known as APT41.

Also known as Winnti, Barium, Wicked Panda and Wicked Spider, the hackers allegedly launched cyberattacks on more than 100 companies in the United States and abroad.

Their targets, the DoJ says, include software and video game companies, computer hardware makers, telecom providers, and social media organizations, but also governments, non-profit entities, universities, and think tanks, not to mention pro-democracy politicians and activists in Hong Kong.

In August 2019 and August 2020, a federal grand jury returned two separate indictments charging the five Chinese nationals with facilitating “theft of source code, software code signing certificates, customer account data, and valuable business information,” the DoJ revealed. The hackers also engaged in ransomware and crypto-jacking attacks.

The five residents of China that the U.S. announced charges against are all on the FBI’s most wanted list: Zhang Haoran, 35, Tan Dailin, 35, Jiang Lizhi, 35, Qian Chuan, 39, and Fu Qiang, 37.

They have been charged with multiple counts of conspiracy, aggravated identity theft, access device fraud, wire fraud, money laundering, and violations of the Computer Fraud and Abuse Act (CFAA), among others.

The August 2019 indictment alleges that Zhang and Tan targeted high-technology and similar organizations and video game companies.

Advertisement. Scroll to continue reading.

The August 2020 indictment charges Jiang, Qian, and Fu with conducting the affairs of a Chinese company named Chengdu 404 Network Technology “through a pattern of racketeering activity involving computer intrusion offenses affecting over 100 victim companies, organizations, and individuals in the United States and around the world, including in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.”

Additionally, they gained access to foreign government computer networks in India and Vietnam, and also targeted similar networks in the United Kingdom. The hackers also launched a ransomware attack against a non-profit organization dedicated to addressing global poverty.

In their operations, the Chengdu 404 defendants employed techniques such as supply chain attacks, dead drops and publicly available exploits and tools. They allegedly targeted vulnerabilities such as CVE-2019-19781, CVE-2019-11510, CVE-2019-16920, CVE-2019-16278, CVE-2019-1652/CVE-2019-1653, and CVE-2020-10189.

A third indictment returned by the same federal jury in August 2020 charges Malaysian businessmen Wong Ong Hua, 46, and Ling Yang Ching, 32, for conspiring with two of the Chinese hackers. They were both arrested in Sitiawan, Malaysia, this week, on U.S. warrants issued in August 2020.

The two have been charged with “23 counts of racketeering, conspiracy, identity theft, aggravated identity theft, access device fraud, money laundering, violations of the CFAA, and falsely registering domain names,” the DoJ reveals.

Seizure warrants issued by the U.S. District Court for the District of Columbia have resulted in law enforcement taking control of hundreds of accounts, domain names, servers, and command and control (C&C) dead drop web pages that the defendants were leveraging in their operations.

“APT41 has been the most prolific Chinese threat actor tracked by Mandiant Threat Intelligence over the last year. This is a unique actor, who carries out global cyber espionage while simultaneously pursuing a criminal venture. Their activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into traditional espionage, most likely directed by the state. APT41’s ability to successfully blend their criminal and espionage operations is remarkable,” John Hultquist, Senior Director of Analysis, Mandiant Threat Intelligence, said in an emailed comment.

“In recent years they have focused heavily on telecommunications, travel, and hospitality sectors, which we believe are attempts to identify, monitor, and track individuals of interest, operations which could have serious, even physical consequences for some victims. They have also participated in efforts to monitor Hong Kong during recent democracy protests.

Though much of the intellectual property theft connected to this actor has declined in favor of other operations in recent years, they have continued to target medical institutions, suggesting they may still have an interest in medical technology,” Hultquist added.

Related: U.S. Indicts Two Chinese Nationals for Hacking Hundreds of Organizations

Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign

Related: Chinese Hackers Target Hong Kong Universities With New Backdoor Variant

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.