China's hacking groups APT41, APT27 target government institutions, companies
Aug 31, 2022
Beijing [China], August 31 : China's state-sponsored hacking group dubbed "Advanced Persistent Threats (APT)" is a decade-old group that targets government institutions and companies globally.
Grusha Bose, a Fellow Researcher, writing in Indo-Pacific Center for Strategic Communications (IPCSC) said that The APT41 and APT27 are the oldest and most dangerous groups currently active and have shown advanced capabilities in jeopardizing a country's national security.
China's APTs hacker groups use unusual malware tools to exploit government institutions' vulnerabilities to meet its espionage agenda.
They keep altering their attack strategies to avoid being detected. Chinese espionage operators are aligned with China's Five-Year Development Plans.
Typically, these groups are listed by numbers based on their activities, target sectors and which government-backed they are, so China's attributed APTs, as per a report by Mandiant are -- APT 1 (PLA Unit 61398), APT 2 (PLA Unit 61486), APT 4 (Maverick Panda, Sykipot Group, Wisp), APT 16, APT 26, APT27, APT40, APT41 (Double Dragon, Winnti Group, Barium, or Axiom), APT30, APT31, and so on, the list continues.
Each of these APTs has played a major role that leverages strategic national securities of the targeted government institutions and companies during a specific year of their activity.
For example, APT 26 targeted the Aerospace, Defence & Energy sectors, among others while APT 16 focused was Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries.
The APT41 is also infamously knowns as 'Double Dragon,' for its dual espionage and cybercrime operations -- that carries out Chinese state-sponsored espionage activities targeting government institutions in parallel with personal financially motivated operations as well, said Bose.
They also go by the names BARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, and Winnti Umbrella.
The APT41 blatantly engaged in financially motivated activity targeting the video game industry including manipulating virtual currencies as per FireEye reports.
Using its access to a game production environment, APT41 generated millions of dollars in less than 3 hours from a popular game's virtual currency, reported IPCSC.
Furthermore, the money is then distributed to multiple accounts and most likely sold and laundered in an underground market which is hard to trace.
To add a cherry on top of their 'personal financial gain' -- they also targeted payment services specializing in handling 'in-game' transactions and Real Money Transfer (RMT) purchases resorting to ransomware to salvage their attempt since they could not monetize the in-game currency.
As per the FireEye Intelligence report, the hacker group has been active since 2012, initially targeting the video game industry before expanding to exploit government institutions' national security vulnerabilities.
As per the reports, APT41 has targeted organizations in 14 countries including Hong Kong over the span of 7 years -- France, India, Italy, Myanmar, Singapore, South Africa, Switzerland, Japan, the Netherlands, South Korea, Thailand, Turkey, the United States, and the United Kingdom.
One such account, the APT41 targeted medical device companies and pharmaceuticals. This is alarming because, through these devices, they wanted to acquire knowledge of the public's health history or a company's R&D on a particular product -- that would give them leverage to steer the pharmaceutical market by producing a required drug or perhaps start a bioweapon war -- how COVID-19 started is still speculative.
Similarly, APT27 is yet another Chinese hack group that has targeted multiple organizations using the very same tactics and tools as its counterpart APT41.
APT27 engaged in intellectual property theft, usually focusing on the data and projects as per Mandiant reports. The group has targeted institutions globally including North and South America, Europe, and the Middle East. APT27 focused on business services, high-tech, government institutions, and energy; but mostly aerospace sector, transport, and travel industries, said Bose.
Lately, the attributed Chinese APTs have become active due to Taiwan tension. As per reports, Taiwan has been experiencing non-stop cyberattacks from APT27 -- the latest target was the National Taiwan University (NTU) on August 7, reported IPCSC.
The websites of the NTU displayed words in Chinese that suggest -- "There is only one China in the world". As reported by Taiwan News, it has been an ongoing attack since the visit by the US House Speaker, Nancy Pelosi.
APT27 posted a Youtube video on August 3, threatening to conduct a 'special cyber operation' against Taiwan. The hacker group also took responsibility for the string of cyber-attacks and warned that more would be coming.
The hacker group claimed that over 200,000 Taiwanese-connected devices are at their mercy. If Taiwan continues to provoke the situation, they would leak data from the Taiwan government compromising their national security and announcing some 'Taiwanese equipment zero-day'.