Pavlo KryvenkoChina-sponsored cyber group APT41 (Wicked Panda, Double Dragon, Wicked Spider or Winnti Group), which conducts financially motivated operations, has evolved and is no longer focused solely on the gaming industry.
Experts have found evidence that APT41 is creating front companies in the computer and technology sector, employing testers and software developers, which serves their purpose of continuing to use aggressive methods to support their state’s ambitious development goals.
Thus, APT41 performs tasks determined by the special services of its state during working hours, and engages in criminal activities in non-working hours with the aim of obtaining financial benefits. In some cases, the use of state-level malware is even noted in both streams of activity.
Chinese APT groups are persistent in their activities and form a large network of criminal hackers. Among other threats of this level, APT41 stands out due to the mass use of closed malware during non-working hours.
APT41’s focus on only certain targets indicates a clear implementation of the tasks set by the Chinese Government and a corresponding degree of coordination.
Thus, APT41’s extraction of intelligence from various foreign vaccine development and healthcare institutes contributed to deepening knowledge and gaining an illegal competitive advantage for China.
But APT41 isn’t just targeting foreign multinationals, it’s also targeting its own citizens, using malware to collect vast swaths of data to conduct direct surveillance on high-ranking Chinese officials.
During its time in operation, APT41 systematically targeted hotel complexes and vacation spots before high-ranking officials stayed there to get their personal and personally identifiable information.
This kind of direct, preemptive and specific targeting provides evidence that China’s special services are outsourcing at least part of their intrusive surveillance program to cybercriminals within their own borders.
Recently, experts observed persistent connections to command-and-control (C2) servers from several IP addresses associated with universities in Taiwan (in particular, National Taiwan University) and Hong Kong (in particular, the Hong Kong University of Science and Technology), which led to successful acquisition by APT41 participants of identification data of employees, students and graduates of educational institutions.
The fact that APT41 continues to use double-hedging, despite gaining media exposure, does not stop the group from continuing to hack targets and suggests that the state government is turning a blind eye.
The repeated actions of the cybercriminal group APT41 make it highly unlikely that it operates without the knowledge of the Chinese government, which uses this model to advance its state agenda and protect its sponsored cybercriminals.