China-Backed Cyber Espionage Group APT41 Turns to Financial Crime, Report Says

August 10, 2019 Updated: August 16, 2019

Chinese state-sponsored hacker group “Advanced Persistent Threat 41” is committing financially motivated crimes along with espionage for the regime, according to an Aug. 7 report by cybersecurity firm FireEye.

In a presentation to Black Hat USA, the world’s leading cyber-security event held in Las Vegas, FireEye Threat Intelligence (FEYE) revealed that Chinese hacker group designated “Advanced Persistent Threat 41” (APT41) is moonlighting outside of its alleged espionage for China’s state security interests to engage in financial shakedowns and thefts against, video game, higher education, travel services, and media firms.

Advanced persistent threat (APT) is a designation that since 2006 has been assigned to a person or group associated with stealth attacks on computer networks which gain unauthorized access and remain undetected for an extended time period. Of the 41 designated APTs, only 20 are still operating. China still dominates the list with 10 APTs.

The first designated APT1 is suspected of being from the secretive Unit 61398 of the People Liberation Army’s Third Department the General Staff Department, also known as the military’s warfighting branch. APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations and demonstrated the capability to steal from dozens of English-speaking organizations simultaneously.

The Chinese regime allegedly hosts 7 of the top 8 longest surviving threat groups including APT1; APT3, APT10; ATP12; APT 16; APT17 and APT18. The groups have used a broad array of proprietary malwares to penetrate and sustain their network attacks.

The hacking groups have targeted both governments and businesses in a wide range of sectors from high-tech electronics to agriculture.

The most infamous cyber-espionage attack was conducted by APT40 in support of an ambitious China’s People Liberation Army Navy (PLAN) scheme to establish a blue-water navy. APT40 masquerading as an American underwater vehicle (UUV) producer targeted universities engaged in naval research, according to FireEye. In December 2016, PLAN seized a U.S. Navy UUV operating in the South China Sea.

APT40, FireEye said, has also recently targeted individuals and political parties associated with elections in Southeast Asian countries that could impact Beijing’s “One Belt, One Road” initiatives.

Kaspersky’s second quarter “SecureList” Trend Report highlighted a special section dedicated to”‘Chinese speaking activity.” Kaspersky revealed an active campaign by a new Chinese APT group named “SixLittleMonkeys,” that combined “Trojan” and “RAT” malware to hijack Central Asia government computer networks by taking control of WiFi routers. The attacks are similar early 2019 “LuckyMouse” computer intrusions in Taiwan.

FireEye reported that APT41 is unique among tracked China-based actors because it “leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions.”

APT41 has targeted the $90 billion video game industry and its 2.5 billion players since 2012, FireEye said. By employing espionage level tactics, techniques, and procedures to compromise multiple software supply chains, APT41 has been able to inject malicious code into legitimate files that were later distributed as video game updates, the report said. Having obtained source codes and passwords, APT41 has robbed online corporate and individual bank accounts, plus waged ransomware attacks against crypto-currency accounts.

Chriss Street is an expert in macroeconomics, technology, and national security. He has served as CEO of several companies and is an active writer with over 1,500 publications. He also regularly provides strategy lectures to graduate students at top Southern California universities.