APT41 actors charged for attacks on more than 100 victims globally

US Department of Justice announced indictments against 5 Chinese nationals alleged members of a state-sponsored hacking group known as APT41.

The United States Department of Justice this week announced indictments against five Chinese nationals believed to be members of the cyber-espionage group known as APT41 (Winnti, Barium, Wicked Panda and Wicked Spider).

US authorities are accusing the China-linked APT group of having launched cyberattacks on hundreds of organizations across the world.

The list of targets includes software and video game companies, computer hardware makers, telecom providers, and social media organizations, but also governments, non-profit entities, universities, and think tanks, not to mention pro-democracy politicians and activists in Hong Kong.

The attacks also aimed at carrying out other criminal activities, such as the deployment of ransomware and cryptocurrency malware.

In August 2019 and August 2020, a federal grand jury announced two separate indictments charging the five Chinese nationals with facilitating theft of source code, software code signing certificates, customer account data, and valuable business information.

They have been also charged with identity theft, access device fraud, wire fraud, money laundering, and violations of the Computer Fraud and Abuse Act (CFAA).

The five Chinese nations reached by the indictments are Zhang Haoran, 35, Tan Dailin, 35, Jiang Lizhi, 35, Qian Chuan, 39, and Fu Qiang, 37.

These individuals are all present in the FBI’s most wanted list.

According to the indictment announced in August 2019, Zhang Haoran (张浩然), 35, and Tan Dailin (谭戴林), 35, with 25, carried out cyber attacks on high-technology and similar organizations and video game companies.

The August 2020 indictment charges charged Jiang Lizhi (蒋立志), 35, Qian Chuan (钱川), 39, and Fu Qiang (付强), 37, they were operating for a Chinese company named Chengdu 404 Network Technology.

“The racketeering conspiracy pertained to the three defendants’ conducting the affairs of Chengdu 404 Network Technology (“Chengdu 404”), a PRC company, through a pattern of racketeering activity involving computer intrusion offenses affecting over 100 victim companies, organizations, and individuals in the United States and around the world, including in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.  The defendants also compromised foreign government computer networks in India and Vietnam, and targeted, but did not compromise, government computer networks in the United Kingdom.” reads the press release published by DoJ.”

In one case, the Chinese hackers launched a ransomware attack on the network of a non-profit organization dedicated to combating global poverty.

The Chengdu 404 defendants used multiple techniques in their operations, including supply chain attacks and C2 “dead drops,” they also employed publicly available exploits and tools. They targeted multiple known vulnerabilities including CVE-2019-19781, CVE-2019-11510, CVE-2019-16920, CVE-2019-16278, CVE-2019-1652/CVE-2019-1653, and CVE-2020-10189.

In August 2010, the same federal jury announced an indictment that charges Malaysian businessmen Wong Ong Hua, 46, and Ling Yang Ching, 32, for conspiring with two of the Chinese hackers. They two suspects have been arrested this week in Sitiawan, Malaysia, on U.S. warrants issued in August 2020.

“The second August 2020 indictment charged Wong Ong Hua, 46, and Ling Yang Ching, 32, both Malaysian nationals and residents, with 23 counts of racketeering, conspiracy, identity theft, aggravated identity theft, access device fraud, money laundering, violations of the CFAA, and falsely registering domain names,” the DoJ continues.

The U.S. District Court for the District of Columbia seized hundreds of accounts, domain names, servers, and command and control (C&C) dead drop web pages that the defendants employed in their operations.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT41)

[adrotate banner=”5″]

[adrotate banner=”13″]