Chinese Government Hackers Moonlight For Extra Cash – FireEye

Security researchers at FireEye have warned that APT41, one of the most effective hacking teams backed by the Chinese government, also dabbles in cyber crime operations for cash.

The warning came in a new report from FireEye, which said that members of API41 carried out state-sponsored espionage activity in parallel, along with with financially motivated operations.

The dual nature of this hacking group should not come as a surprise, as government’s tend to keep such groups at a certain distance in order to maintain deniable plausibility if their operations are uncovered.

Financial attacks

But FireEye says that APT41 is unique among tracked China-based actors, in that it utilises non-public malware typically reserved for espionage campaigns, for cyber operations designed for personal gain.

“Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward,” blogged FireEye.

It said that like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China’s Five-Year economic development plans. So it typically attacks organisations in the healthcare, high-tech, and telecommunications sectors.

But the group also conducts operations for financial reasons.

“The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware,” blogged FireEye.

“The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments,” it said.

“From there, the group steals source code as well as digital certificates which are then used to sign malware,” it added. “More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organisations.”

FireEye said that two of the APT41 hackers, namely person’s using the “Zhang Xuguang” and “Wolfzhi” names, have also been identified in Chinese-language forums.

“These individuals advertised their skills and services and indicated that they could be hired,” said FireEye.

Loaded arsenal

And FireEye warned that APT41 utilises an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group.

“APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups),” said FireEye.

“APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them,” it concluded. “It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.”

Last month big name German firms such as BASF, Siemens, Henkel, and Roche confirmed media reported that they had been subjected to cyber-attack.

The report from public broadcaster ARD suggested that the likely culprits was a state-backed Chinese hacking group.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

DeepMind Co-Founder Suleyman Departs For Investment Firm

DeepMind co-founder Mustafa Suleyman leaves parent company Google for Silicon Valley venture capital firm after…

22 hours ago

US Legislation To Boost Chip Funding Set For House

US House of Representatives set to introduce bill on tech funding and domestic chip manufacturing,…

22 hours ago

Intel Says Ohio Site Could Become World’s Biggest Chip Plant

Intel chooses Ohio site for manufacturing investment that could grow to $100bn over ten years,…

23 hours ago

Digital Bank Chime Financial Plans Massive IPO

Chime Financial plans New York IPO worth up to $40bn after Covid-19 pandemic leads to…

23 hours ago

Twitter Shake-Up Sees Departure Of Top Security Staff

Twitter says head of security no longer at company and chief information security officer to…

24 hours ago

Google Asks Judge To Dismiss Most Of Texas Antitrust Case

Google asks federal judge to dismiss most counts of antitrust case filed by Texas and…

1 day ago