Chinese Government Hackers Moonlight For Extra Cash – FireEye

Security researchers at FireEye have warned that APT41, one of the most effective hacking teams backed by the Chinese government, also dabbles in cyber crime operations for cash.

The warning came in a new report from FireEye, which said that members of API41 carried out state-sponsored espionage activity in parallel, along with with financially motivated operations.

The dual nature of this hacking group should not come as a surprise, as government’s tend to keep such groups at a certain distance in order to maintain deniable plausibility if their operations are uncovered.

Financial attacks

But FireEye says that APT41 is unique among tracked China-based actors, in that it utilises non-public malware typically reserved for espionage campaigns, for cyber operations designed for personal gain.

“Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward,” blogged FireEye.

It said that like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China’s Five-Year economic development plans. So it typically attacks organisations in the healthcare, high-tech, and telecommunications sectors.

But the group also conducts operations for financial reasons.

“The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware,” blogged FireEye.

“The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments,” it said.

“From there, the group steals source code as well as digital certificates which are then used to sign malware,” it added. “More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organisations.”

FireEye said that two of the APT41 hackers, namely person’s using the “Zhang Xuguang” and “Wolfzhi” names, have also been identified in Chinese-language forums.

“These individuals advertised their skills and services and indicated that they could be hired,” said FireEye.

Loaded arsenal

And FireEye warned that APT41 utilises an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group.

“APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups),” said FireEye.

“APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them,” it concluded. “It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.”

Last month big name German firms such as BASF, Siemens, Henkel, and Roche confirmed media reported that they had been subjected to cyber-attack.

The report from public broadcaster ARD suggested that the likely culprits was a state-backed Chinese hacking group.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago