A group of Chinese state-backed hackers is also launching financially motivated attacks for personal gain in what cybersecurity researchers call a “remarkable” deviation from a singular focus on espionage.
Why it matters: The group, dubbed Advanced Persistent Threat 41 (APT41), is known for having targeted the healthcare, high-tech, and telecommunications sectors in 14 countries ranging from the US to Turkey and South Africa.
- The group is unique among China’s state-backed hackers for its use of tools typically reserved for espionage operations in missions that fall outside state control.
“APT41 carries out an array of financially motivated intrusions, particularly against the video game industry, including stealing source code and digital certificates, virtual currency manipulation, and attempting to deploy ransomware.”
—Cybersecurity researchers wrote in their report
Details: The researchers from cybersecurity firm FireEye said the group’s skills gained from cybercrime activities have ultimately supported its state-sponsored operations.
- Some of APT41’s financially focused operations informed techniques later used for supply chain compromises, the researchers said.
- Meanwhile, targeting the video game industry enabled the group to develop tools and techniques that were used to infiltrate software companies to inject malware into the source code of software updates.
- FireEye said that the majority of APT41’s cybercrime operations were performed after hours, circumstantial evidence of the extracurricular nature of these activities.
- During regular working hours, the group ran operations consistent with China’s national strategies, targeting chip makers and companies developing components used in autonomous vehicles, medical imaging, and the consumer market.
- Two people linked to APT41’s operations using the monikers “Zhang Xuguang” and “Wolfzhi” have previously advertised their services, indicating their availability as contractors.
- The group uses a total of 150 individual pieces of malware, FireEye said.
Context: APT41 is just one Chinese Advanced Persistent Threat group that FireEye tracks. Others include APT40, APT30, and APT19.
- These groups generally have specific areas of focus. For example, APT40 typically targets countries important to the Belt and Road Initiative, China’s contentious global development strategy.
- Meanwhile, APT19 focuses on infiltrating the legal and investment sectors.
- Chinese state actors have been accused of targeting foreign firms to accelerate the country’s progress via intellectual property theft.