Just because you’re a world-class Chinese government hacker busy conducting espionage against geopolitical adversaries doesn’t mean you can’t make a little extra money on the side.
The hackers behind a sophisticated seven-year Chinese government intelligence operation simultaneously use their talents to hack for personal profit by putting a bull’s-eye on targets in the cryptocurrency and video game industries, according to the American security firm FireEye. The group, dubbed APT41, showcases a rare combination of activities for a country like China, where the worlds of spying and cyber crime are typically entirely distinct.
“APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them,” the researchers wrote in a report released on Wednesday. “It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.”
The day job: The hacking group started its life at least as far back as 2012 like many other Chinese state-sponsored hackers: stealing intellectual property from the medical-device and pharmaceutical industries.
In 2015, after Chinese president Xi Jinping and American president Barack Obama came to an agreement against intellectual-property theft, APT41’s targeting changed. Most recently, the group has made headlines with high-profile supply chain compromises at companies like the Taiwanese tech company Asus.
The campaigns start when the hackers break into these software companies, inject malware into otherwise legitimate files, and then distribute updates widely. The tactic infects tens of thousands of machines, but the hackers ultimately use it to target a smaller group of individuals based on individual system identifiers using the compromised software.
The group, also known as Barium and Winnti, is well known to cybersecurity defenders around the world. It uses a wide range of techniques to gain a foothold in a target’s system, including well-crafted spearphishing, the use of stolen credentials, TeamViewer remote desktop sharing software, and the China Chopper web shell, FireEye reported. Once inside, APT41 is known to use dozens of families of malware across multiple simultaneous operations including one year-long campaign that saw the use of “close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits,” FireEye said.
With all its tools, capabilities, and proven track record, APT41 is something of a Swiss Army knife for Chinese tacticians. The group has targeted telecommunication companies’ call records, news media, and even a hotel’s reservation system just before the arrival of Chinese officials. After the 2015 agreement, its job switched dramatically from government-sanctioned theft to tasks like surveilling anyone of interest to Beijing.
The side hustle: At the same time the group is conducting these geopolitical campaigns, it uses many of the same tactics to hack targets for financial gain.
APT41 has been seen compromising the supply chains of video-game companies. With access to a game’s production environment, the group generated tens of millions of dollars in the game’s virtual currency, which was then likely sold in underground markets.
It’s also used more classic cybercrime tactics, including a ransomware attack and extortion attempt against a game company when the game’s virtual currency wasn’t valuable enough to be monetized.
“APT41 has repeatedly returned to targeting the video game industry,” the researchers said, “and we believe these activities were formative in the group’s later espionage operations.”
Despite the significant overlap, there is a clear dividing line between the group’s espionage and for-profit work: more advanced tactics and malware are typically reserved for the big targets picked out by Beijing.