The Department of Justice on Wednesday announced charges against five Chinese nationals and the arrest of two Malaysian men it alleges are connected to the APT41 attack group that is responsible for a high volume of attacks around the world in recent years, including intrusions at software, pharmaceutical, and technology companies, as well as non-profits and universities.
The indictments allege that the five men were involved in a variety of intrusions in the U.S. and elsewhere, stole money, digital assets, and intellectual property, and helped create and maintain an extensive network of compromised servers, C2 domains, fraudulent accounts, and other assets. The men charged in two separate indictments are Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan, and Fu Qiang. In addition to the indictments, the U.S. government also worked with Malaysian authorities to arrest two unnamed businessmen that the Justice Department alleges were involved with helping two of the alleged APT41 attackers in some of their operations.
“The scope and sophistication of the crimes in these unsealed indictments is unprecedented. The alleged criminal scheme used actors in China and Malaysia to illegally hack, intrude and steal information from victims worldwide,” said Michael R. Sherwin, Acting U.S. Attorney for the District of Columbia. “As set forth in the charging documents, some of these criminal actors believed their association with the PRC provided them free license to hack and steal across the globe. This scheme also contained a new and troubling cyber-criminal component – the targeting and utilization of gaming platforms to both defraud video game companies and launder illicit proceeds.”
The indictments are part of a concerted effort by the United States government to expose and deter intrusion campaigns conducted by teams associated with the Chinese government. In February, the U.S. charged four members of China’s People’s Liberation Army with the intrusion that led to the Equifax data breach and the Cybersecurity and Infrastructure Security Agency (CISA) regularly publishes details of tools and malware used by attackers affiliated with the Chinese government. In fact, this week CISA published a detailed warning about attackers working for the Ministry of State Security exploiting flaws in networking gear and VPNs.
APT41 is a prolific, well-funded, and accomplished group that has been active for nearly 10 years and has several high-profile intrusions to its name. The group has operators and developers with expertise in both Linux and Windows and has a broad toolset at its disposal, including custom exploits and malware. The group will also employ public and open source tools and are known to focus on vulnerabilities that have been public for months or years but have not been patched in target organizations. One of the indictments announced Wednesday alleges that Lizhi, Chuan, and Qiang conducted operations on behalf of a Chinese company called Chengdu 404 Network Technology that included intrusions at more than 100 companies around the world, as well as at government agencies in India and Vietnam.
“The defendants associated with Chengdu 404 employed sophisticated hacking techniques to gain and maintain access to victim computer networks. One example was the defendants’ use of ‘supply chain attacks,’ in which the hackers compromised software providers and then modified the providers’ code to facilitate further intrusions against the software providers’ customers. Another example was the hackers’ use of C2 ‘dead drops,’ which are seemingly legitimate web pages that the hackers created, but which were surreptitiously encoded instructions to their malware,” the announcement says.
The operations attributed to APT41 run the gamut and some of them are quite well known, including an intrusion in which the group was able to gain access to the source code for the CCleaner utility and insert malicious code. More than two million copies of the compromised version of the utility were downloaded, and the attackers then tried to use their position to run further attacks on a small number of the computers involved. The group is also associated with the use of the infamous Winnti malware, which has been used in several attacks, many of which targeted video game companies or players.
“Today’s announcement demonstrates the ramifications faced by the hackers in China but it is also a reminder to those who continue to deploy malicious cyber tactics that we will utilize every tool we have to administer justice,” said FBI Deputy Director David Bowdich.