Stealthy, sustained, and frequently state-backed, advanced persistent threats (APTs for short) are often the leading antagonists of the cyber threat intelligence scene. But with murky intelligence, unclear goals, and inconsistent naming conventions (do we really need six names for one group?), making sense of APT groups is often easier said than done for both the average reader and experts alike.
APTs are so-named due to their advanced technical sophistication, their persistent access or attempts to access systems, and the significant threat they pose to nation states, companies, and/or individuals. To achieve all three, APT groups are usually linked to national governments, which may give them resources, turn a blind eye to their criminal activity, or even provide direction to the groups’ operations. Such groups are usually tied to the so-called big four of APT threats—Russia, the People’s Republic of China (PRC), Iran, and North Korea—but many support the interests of countries including Turkey, Israel, Pakistan, India, South Korea, and the US.
This blog is the first in a series aimed at demystifying APT groups around the world, as well as their group dynamics, goals, and techniques. With Chinese APTs making waves during tensions with Taiwan and the US, infamous Chinese APT group “APT41” is the first up to bat.
Bad panda, no bamboo
APT41 (aka Wicked Panda, BARIUM, Wicked Spider, Blackfly, Double Dragon, and so on) is one of the most prolific Chinese threat groups. The group’s many cyber-espionage campaigns are likely motivated by Chinese political and economic goals, including the Belt and Road Initiative (BRI), and Made In China 2025 (MIC 2025). However, unlike many politically motivated APT groups, APT41 poses a dual threat, being known to have conducted financially motivated ransomware attacks and attacks against the video game industry in particular.
APT41 is a natural starting point for this series, due to the wealth of internal information we have about the group. Unlike most APT groups, for whom stealth is paramount, we know several members of APT41, where they are based, and what techniques they usually use. This is in part due to US federal indictments of five of its members in August 2019 and August 2020 on charges including wire fraud, identity theft, and racketeering, as well as unauthorized computer intrusions affecting over 100 companies and individuals worldwide.
According to these indictments, much of APT41’s activity stems from the Chinese city of Chengdu, a growing technology hub in the southwestern province of Sichuan. Famous for its giant pandas (the animal, not the APTs), the city is also gaining a reputation for both white and black hat hackers. This includes hosting the Tianfu Cup, the PRC’s premier computer hacking contest and response to the West’s Pwn2Own. APT41’s known members are therefore largely network security engineers, many of whom used to operate under the guise of a supposedly legitimate network security company known as Chengdu 404. Controversial whistleblowing site Intrusion Truth also claims that the group has significant ties to Sichuan University and Chengdu University of Information Technology, and may use these links for recruitment purposes.
APT41 members have ties with the Chinese Ministry of State Security (MSS). One member claimed to be “very close” with the “GA” (aka MSS), and claimed that the MSS would protect him “unless something very big happens.” Other members have also performed legitimate contracting work for the MSS. However, it is unlikely that the group works as part of the Chinese security apparatus. Many group members have criminal rap sheets or ties to cyber-criminal entities, such as the Network Crack Program Hacker (NCPH) group. According to the FBI, members have also made statements about not targeting domestic Chinese entities so as to avoid the ire of the MSS. It is more likely that the group conducts cyber-espionage activity on a more contractual basis for the MSS, although whether this is motivated by patriotism, money, commuted prison sentences, or simply the “lolz” is unconfirmed.
Spies by day
Despite the indictments of some of its members, no extradition treaty and no Chinese political goodwill mean that APT41 is still free to pose a menacing cyber-espionage threat. APT41 has successfully compromised government and critical infrastructure networks around the world and has been attributed to more cyber-espionage campaigns than we have time to name. The group is notable as a pioneer of supply-chain attacks—i.e. attacks on vulnerable third-party tools and software to gain access to a target—and also frequently uses vulnerability exploitation and custom malware to compromise victims.
Examples of vulnerability exploitation by APT41 include supply-chain attacks on US state government networks. From May 2021 to February 2022, APT41 gained access to six state networks by exploiting vulnerabilities. This included the “Log4j” remote code execution (RCE) zero-day in USAHerds, an application for tracking disease in cows and other livestock (commence sad moo noises). From January to March 2020, APT41 also conducted one of the broadest vulnerability exploitation campaigns observed in recent years, exploiting Citrix, Zoho, and Cisco vulnerabilities. The campaign impacted entities in at least 20 countries from at least 19 sectors.
In addition to opportunistic vulnerability exploitation, the group has developed their own malware to conduct attacks, such as the Unified Extensible Firmware Interface (UEFI) malware “MoonBounce”. Identified in January 2022, MoonBounce was reportedly used to exfiltrate sensitive personal and intellectual property information from targets including transportation networks. UEFI rootkits are highly stealthy and persistent malware, and are difficult to detect on victim machines. One researcher dubbed MoonBounce “the most advanced UEFI firmware implant discovered in the wild to date”, an uncomfortable insight into APT41’s technical capabilities.
APT41 is therefore stealthy, technologically capable, and persistent in its cyber-espionage attacks: all unfortunate hallmarks of an APT group. But while most of its cyber-espionage attacks are conducted—quite literally—by day, it also conducts cyber-criminal campaigns by night.
Criminals by night
Another argument that APT41 operates only partially in the nexus of Chinese government control is Mandiant’s research into the group’s campaign types and operational times. During Beijing working hours, the group predominantly conducts cyber-espionage attacks, while at night, ransomware attacks and money-making schemes prevail. As most Chinese government-linked APT groups do not conduct financially motivated attacks, it is likely that the MSS turns a blind eye to these activities, so long as APT41 continues to provide them with valuable intelligence.
APT41 has frequently targeted the video game and online gambling industry in such attacks. The group has deployed ransomware against video game companies, and has conducted watering hole attacks against online gamblers. Watering hole attacks are attacks that compromise and infect commonly used websites with malware to target site visitors. APT41 has also compromised video game systems to fraudulently obtain in-game currencies and digital goods (think cool skins, artifacts, and weapons) in order to sell them to legitimate gamers for profit. In line with the group’s sophistication, it also apparently monitored gaming companies’ fraud detection teams in order to evade its own detection, and compromised other cyber-criminal groups conducting similar attacks in order to steal their goods and eliminate competition.
For king and country (or for general secretary and party) is apparently not enough for APT41. The group is either not paid enough by the Chinese government, or greed has simply gotten the better of its members and pushed them to lead a double life. Either way, the group’s dual motivations, and broad tactics, techniques, and procedures (TTPs) mean that it poses a threat to many industries, from many angles.
What to expect from APT41
For a group of network security professionals from Chengdu, APT41’s scope and impact have been considerable. The group poses an ongoing challenge to governments and security teams alike due to its unpredictable motivations and TTPs, be they cyber-espionage or cyber-criminal in nature. Although rising tensions between the PRC and Taiwan have slowed since US House Speaker Nancy Pelosi’s visit in July, it is realistically possible that APT41 will choose Taiwanese organizations as its next target in retaliation for the visit. To stay informed of APT41’s latest activity, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.
Keep an eye out for the next installment of our APT Spotlight Series. The Photon Research Team maintains a library of more than 500 threat profiles to choose from, which help our clients navigate the quickly evolving threat landscape. To see how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) can work for you, take a test drive for seven days and explore our research in depth.