Chinese Government Hackers Moonlight For Extra Cash – FireEye

Security researchers at FireEye have warned that APT41, one of the most effective hacking teams backed by the Chinese government, also dabbles in cyber crime operations for cash.

The warning came in a new report from FireEye, which said that members of API41 carried out state-sponsored espionage activity in parallel, along with with financially motivated operations.

The dual nature of this hacking group should not come as a surprise, as government’s tend to keep such groups at a certain distance in order to maintain deniable plausibility if their operations are uncovered.

Financial attacks

But FireEye says that APT41 is unique among tracked China-based actors, in that it utilises non-public malware typically reserved for espionage campaigns, for cyber operations designed for personal gain.

“Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward,” blogged FireEye.

It said that like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China’s Five-Year economic development plans. So it typically attacks organisations in the healthcare, high-tech, and telecommunications sectors.

But the group also conducts operations for financial reasons.

“The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware,” blogged FireEye.

“The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments,” it said.

“From there, the group steals source code as well as digital certificates which are then used to sign malware,” it added. “More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organisations.”

FireEye said that two of the APT41 hackers, namely person’s using the “Zhang Xuguang” and “Wolfzhi” names, have also been identified in Chinese-language forums.

“These individuals advertised their skills and services and indicated that they could be hired,” said FireEye.

Loaded arsenal

And FireEye warned that APT41 utilises an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group.

“APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups),” said FireEye.

“APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them,” it concluded. “It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.”

Last month big name German firms such as BASF, Siemens, Henkel, and Roche confirmed media reported that they had been subjected to cyber-attack.

The report from public broadcaster ARD suggested that the likely culprits was a state-backed Chinese hacking group.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Foxconn Moves Some Apple Production To Vietnam

Foxconn is reportedly moving the manufacturing of some iPads and Macbooks out of China to…

16 hours ago

Trump Administration Grants ByteDance TikTok Sale Extension

ByteDance granted seven day extension by Trump administration of TikTok sale order to new company…

17 hours ago

Amazon Web Services Restored After Outage

Amazon's cloud service on Wednesday suffered a widespread outage impacting parts of the Internet, but…

19 hours ago

Coronavirus Pandemic Impacts Full Fibre Broadband Rollout

Government finances are hurting. Delay to ambitious plan to roll out gigabit broadband to every…

21 hours ago

Bristol City Council Data Breach Revealed Names Of Disabled Children

Mass email from the council contained the names and email addresses of children with special…

2 days ago