LAS VEGAS—A Chinese hacker group known as APT41 appears to have taken up financial crimes in addition to the usual state-sponsored cyber espionage, FireEye researchers revealed here at Black Hat.
“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain,” Sandra Joyce, SVP of Global Threat Intelligence at FireEye, said in a statement.
This kind of behavior is “unusual among Chinese state-sponsored groups,” according to FireEye.
APT41’s activity dates back to 2012, when it attacked targets in the video game industry. The group expanded its reach over the last seven years, eventually encompassing everything from healthcare and telecoms to tech firms and film and media companies. These actions, FireEye says, were meant to further the goals of the Chinese government. In one specific instance the company cites, the group went after a hotel where Chinese officials were staying, presumably as part of some kind of reconnaissance effort.
APT41 is “highly agile and persistent, responding quickly to changes in victim environments and incident responder activity,” FireEye says. That’s a fancy way of saying APT41 rolls with the punches and is able to get back into systems even after the good guys clear them out. In one instance, the group deployed over 150 unique pieces of malware in a year-long campaign against a single target.
But what makes APT41 unique are the efforts it has allegedly taken to enrich itself. FireEye identified two forum users trading under the names “Zhang Xuguang” and “Wolfzhi” who advertised their hacking skills. The hours of operation of these accounts matches the hours when APT41 is actively attacking video game targets, suggesting APT41 is taking jobs on the side or—in the words of FireEye—”moonlighting.”
In order to bring in revenue, “APT41 has manipulated virtual currencies and even attempted to deploy ransomware,” writes FireEye. APT41 has allegedly targeted developers, breaking into their networks and stealing digital certificates in order to sign malicious code. Properly signed, this malware is accepted as legitimate, allowing it to be distributed to targets. FireEye describes this as a “supply chain” attack, and says it’s a hallmark of APT41’s operations.
APT41 has enjoyed much success, but its best trick appears to be its pursuit of profit. “APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them,” writes FireEye. “It is also possible that APT41 has simply evaded scrutiny from Chinese authorities.”
If it’s the latter, FireEye may have just caused APT41 a lot of trouble.