CyberWire Daily - The fuzzy boundaries of APT41. [Research Saturday]
Episode Date: October 5, 2019Researchers at FireEye recently released a report detailing the activities of APT41, a Chinese cyber threat group notable for the range of tools they use, their origins in the world of video gaming, a...nd their willingness to shift from seemingly state-sponsored activity to hacking for personal gain. Nalani Fraser and Fred Plan contributed to the report, and they join us to share their findings. The original research is here: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So we have been tracking this group for a very long time.
That's Nalani Fraser, Senior Manager of the Advanced Analysis Team for FireEye Threat
Intelligence. She's joined by Fred Plan, a Senior An Team for FireEye Threat Intelligence. She's joined
by Fred Plan, a Senior Analyst on FireEye's Cyber Espionage Threat Intelligence Team. The research
we're discussing today is titled APT41, A Dual Espionage and Cybercrime Operation. Starting in
about 2012, APT41 is a Chinese state-sponsored espionage group that conducts financially motivated activity
as well for personal gain. So there are some unique things about APT 41. From the outset,
there's some things that sort of set them apart from some other groups, particularly Chinese
groups. Can you take us through what are some of the things that make them unique?
One of the big distinct things about APT41 is the fact that it's conducting both
financially motivated cybercrime operations alongside and simultaneously with the cyber
espionage campaigns. So usually with the Chinese espionage groups, they tend to do just the
nation state stuff. If they're doing anything on the side, it's quite a bit separate. But in the
case of APT41, there's a lot of overlap between these two worlds within a single group. So that includes the timing,
they're conducting both the financially motivated activity, as well as the espionage activity,
often on the same day and long running campaigns running at the same time. But also in terms of
the tools they're using. So they're using tools that are used by pretty much every
other Chinese espionage group only for espionage stuff. But APT41 will use those same tools also
for the financially motivated stuff. So it's pretty unique to this particular group.
Yeah, that's really interesting. And the report goes into some details about how it seems as
though they may have gotten their start going after the video game industry.
about how it seems as though they may have gotten their start going after the video game industry?
Yes, that's right.
So we think that this group,
they have a strong personal interest
in the video game industry,
and a lot of what they are doing
in the financially motivated world
is targeted against the video game industry.
So a lot of their earlier operations are concentrated
against not just video game studios
and developers, but also payment platforms and online forums and other related services
that are part of the world of video gaming.
And a lot of the operations that they're conducting and how they're conducting these operations,
the TTPs, will often emerge first in their targeting of video game organizations and then later kind
of bleed over into the espionage activity that they're also doing. Does this lead to any
speculation that, you know, they got their start doing non-government type of work and perhaps
they caught the government's eye and they said, hey, you guys are doing some interesting work
here. How'd you like to come work for us? Is that a possibility or is that just purely speculative? It is a possibility. And in fact, we have research dating back to at least
2005 indicating that individuals who were responsible for this activity were advertising
hacker for hire services. So they were saying they were available for hacking into system networks.
And we believe that that was probably in a
contractor capacity. Well, let's walk through the research together. Take me through who does it
seem as though they're targeting? Sure. So they have targeted a wide range of industries since
at least 2012. So on the espionage side, we've seen them target health care and high tech media travel organizations, really gathering intelligence, which would be aligned with China's five year economic development plans.
And then, as Fred mentioned, we have seen them also target video game organizations for primarily financial gain.
And where are they targeting? Are there specific geographic areas
that it seems as though they're hitting? They aren't really geographic specialists. It's more
of they'll target particular organizations they're focused on regardless of where they are. So there's
a tendency, for example, with the healthcare targeting to be concentrated in, say, Western
Europe or East Asia, but that's not because of the region, but because that's where that particular industry happens to be.
So APT41 is definitely region agnostic, if that's the term.
It's interesting to me, looking through your research, how their activities have
shifted over time.
It's one of the things you track here.
Can you walk us through, what are some of the changes that you've seen them make?
There's kind of a split in the consistency along the financially motivated activity and the espionage activity. So on the financially motivated side, that's been
pretty consistent with targeting of the video game industry, for example. There's just kind of an
escalation of the different tactics that they'll use against a particular industry. And so we
usually use that as an example of their growth or their growing maturity, at least in terms of
their cyber crime activity. For espionage stuff, it's a little different. That one has changed a lot over time. And we have a chart in the report which shows how these
industries that they're targeting kind of pop back on and fall back off. And we think that
kind of inconsistency or that big shifts in their activity is consistent with them being a contractor.
So, maybe this group is, you know, they're contracted to target healthcare for a year or two
and then that contract either ends or they move off of it and they contract over
to targeting the high tech sector, for example, and then they'll get off of that and target
something else.
At least in terms of espionage activity, their targeting is a lot less consistent, at least
compared to their financially motivated operations.
Yeah, it was interesting too.
One thing that caught my eye in the research was this notion of them moving towards strategic intelligence collection and
away from intellectual property theft. I think a lot of us, when we think of the activities of
the Chinese, we think about intellectual property theft. But your reporting here shows that there
may be a shift away from that. Yeah, since about 2015, we've noticed just overall a shift away from intellectual property theft.
They have still been targeting organizations and different organizations that would be in
industries of interest for intellectual property, but we actually haven't seen that IP theft.
So that brings up interesting questions about, are they gaining intelligence through other means?
But we have seen continued interest in strategic intelligence collections.
So targeting of telecom organizations, for example, targeting called data records and SMS records of interest to the Chinese government.
Yeah. One of the sections in the report discusses the cyber espionage activity.
Yeah, one of the sections in the report discusses the cyber espionage activity. And you mentioned China's Made in China 2025 plan trying to reduce their dependence on importing medical device technology. And so one way to do that is to take that technology
and develop it on their own. Yeah, let's dig into some of the case studies that you've outlined here
in the report. You know, we said at the outset that it seems as though these folks had an interest in
video gaming. What sort of things did you find in terms of their targeting
of that part of the industry? So for the video gaming stuff, this is the sector that I like to
talk about the most as the most indicative or provides the best examples of their growth and
maturity over time. So the earliest activity that we saw being conducted by the APT41 actors is
pretty low level, pretty basic to start with. It's, you know, things like
their activity on different, like very Chinese market specific video games, their discovery of
different ways to like bend the rules, different games and targeting some sort of like third party
services that are related to those types of games specifically. And then over time, this expands. So we start
seeing it targeting other games that are popular throughout the East Asian region in particular.
And we see this start escalating to other types of monetization activity. So that will include
things like targeting the real money transaction platforms that let people buy things for real life money for
converting into in-game value. That includes targeting these specific systems that track
how much virtual currency a particular account has. So they would be straight up generating
virtual currency and then transferring that to their own actor-controlled accounts and
basically money laundering within the game platform itself.
And that even escalated to the point where they were even deploying ransomware on different video game studios servers. So you can see definitely there's like this growth in different tactics
and the growth of the sophistication of these tactics over time. The big thing that we were
trying to highlight in the report is how APT41, how they developed the ability to
very successfully navigate through any targeted system that they wanted.
So in the video game industry, what they were doing was initially getting into a targeted network
and then moving laterally around until they could reach the production environment or where a video
game studio or developer builds the next expansion to
a game or the next game. So, once they reach that environment, that really gave APT41 access to
anything they wanted within the game environment, right? So, it gives them insight into what the
newest games are coming out. It gives them insight into how the games are put together or how they
operate internally and how they interact with other systems that are set up by the video game
company.
And reaching that production server puts them in a position to do any number of things.
So the primary things being injecting their own code into legitimate game updates and
files.
Also, it put them in a position to access the video game company's
digital certificates. And so their own injected code could then be used and be signed by legitimate
digital certificates. And of course, that lends itself quite easily then to supply chain
compromises. So that's where this industry is where we saw APT41 initially
conducting supply chain compromises. Again, they would have access to legitimate files or game
updates. They would be able to inject their own code, including backdoors or Trojans,
into these legitimate updates. And then these would be pushed out. And after being signed by
legitimate digital certificates, they would be pushed out to all the users.
And now APC41 is in a position to compromise
pretty much the entire user base of these particular games.
And so once they started doing that within the video game industry,
they were able to apply a lot of these lessons
and a lot of these exact same TTPs to other software companies.
And so that's why we saw these kinds of supply chain compromises
being conducted and leveraging the software updates for other software companies.
Is it fair to say that one element of APT41 is the breadth of tools and techniques they have at
their disposal, that they come at things from a lot of different directions and seem to have
success doing it? Yes, that's fair to say. APT41 has a very large
tool set, more than some of the other threat groups that we track. We noticed that APT41 has
over 46 different malware families. Some of them are shared with other Chinese espionage groups,
and some of them, it looks like they have developed on their own.
Yeah, it's interesting. One of the things that you track here are the overlaps between the espionage and the financial operations. I guess it's not unusual
to see folks in this line of work doing some freelancing. We certainly hear of that, but
it seems like in this case, maybe they've taken that to the next level in terms of the amount
of crossover between the tools that they're using and when they're doing it?
Sure.
It is fascinating that they're using state-sponsored espionage tools in their own missions.
And that really begs the question, is the Chinese government aware that they're doing
these moonlighting missions using state-sponsored tools?
And if so, are they okay with that?
It's something that we really
took a deep dive and really made sure that the attribution was right because we were
baffled that activity was actually happening. And you, with high confidence on your own,
and you're convinced that it is indeed going on. Correct. And it's something that we conferred
with our counterparts as well to make sure that other organizations had come to the
same conclusion. Yeah, it's a really fascinating aspect of this, different from what we see with
a lot of other groups. Now, one of the things you cover here are the potential links to other
Chinese espionage operators. Do you see much crossover? Are they working with other groups?
I mean, we definitely have the indications that there's at least a lot of resource sharing between these groups. And that's part of what's made APT41 really hard to define from the other
public reporting that's related to this group. There's a lot of tool overlap, especially regarding
a tool that is publicly reported as WNT or WinNTI. So at FireEye, we refer to that tool as High Noon.
And it's got many, many variants.
And for a long time, that tool was believed to be exclusive to a single group.
And that was one of the big driving forces behind us defining APC41 the way we did, actually,
was that it was clear to us that that particular tool was not exclusive to a single group and
that it was shared across multiple clusters of activity in a way that a lot
of the public reporting wasn't really emphasizing or they're kind of glossing over this fact.
And that was creating a lot of attribution problems and a lot of problems for defining
what exactly belonged in this group and how it behaved. And so, the big overlap we would say
would probably be between APT41 and APT17. That particular operation. APT17 is also referred to sometimes as tailgater
or deputy dog, as well as any number of other public names. But collectively, a lot of times,
it's all lumped together, all as WinT or WinNTI. And it makes it really tough to determine what's
relevant to one customer or another, or how best to give information to a network defender in a way
that's relevant to them and their particular industry. Yeah, so besides the malware overlap, there's also
overlap with the digital certificates. There's also overlap with the particular industries that
they're targeting, the timing of particular operations. And those are all things that we
had to consider when we began to harden the boundaries around what we were going to call APT41.
So what are the take-homes from here in
terms of, you know, folks protecting their own networks, being cautious about knowing that APT41
is out there and the things that they're up to? What sort of recommendations do you have?
At least from my perspective, the thing that is really interesting to me about APT41 is,
and this was a point of disagreement when we were writing this, like this kind of mismatch between the operations capabilities and what it actually chooses to use.
So, and a lot of this just comes down to, I guess, awareness is ultimately the point
here.
So, what I mean is this is a group that has this enormous library of tools and they've
got a ton of malware available to them, both public and private, both shared and not shared,
you know, as well as some tools that are exclusive to themselves. And they've demonstrated this
enormous array of techniques and procedures that they're willing to pull out. But what's
interesting is they don't really dig deep into their bucket of tools. You know, they don't really
go deep into the arsenal unless they have to. And so, the demonstrated range of sophistication is highly variable from one
victim to the next and I think that's been really interesting about it. So, like you know,
at one organization for example, they'll just use like a simple spearfish and then they'll get in,
they'll just use publicly available tools and then that's good enough to achieve what they want.
But then at another organization, you know, they'll rely on an extremely complex supply chain compromise and they rely on whitelisting and then they'll, you know, deploy like a completely different set of tools than they would anywhere else.
And clearly they have the capability, but they'll only use it for like, you know, the most special selected victims or the most high value targets.
And so discipline is a really good word for it, like self-restraint, you know.
And so discipline is a really good word for it, like self-restraint, you know, and part of it is probably them trying to obfuscate their full capabilities or trying to hide their full range of tools.
But yeah, that level of self-discipline to be able to do that, I think that's a key characteristic of APT41's operations.
Nalani, what is your take on them? So I think, you know, despite their sophistication, we know they're a very sophisticated group. They
have a ton of malware in their tool set. Their initial infection vector into a lot of victims
is spear phishing. And so if you can do that security training up front with all of your users
to make sure that they're identifying potential spear phishing and reporting it,
then you can potentially get ahead of the actual infection or at least stopping it early in their
tracks. Because we know that once they get into the environment, they're very quickly moving.
And once they compromise, they can quickly move out throughout the environment, compromising
multiple locations across geographic regions. So if you can respond quickly to the environment, compromising multiple locations across geographic regions.
So if you can respond quickly to the investigation, you have a higher chance of making sure that
you're responding appropriately.
It's definitely easier to keep them out than try to root them out once they're in.
Yeah, that's a really interesting insight.
I mean, I guess these folks are well-funded.
It seems as though they're patient, they're persistent, and they have a range of tools that they can draw from.
Correct.
I think the move towards telecoms is a really interesting trend and something that we have seen across different Chinese groups recently.
It's very interesting because telecoms give access to a wide number of individuals. And it also provides
that degree of separation between the threat actor and the actual victim. So that is an
interesting trend that we've seen across groups and with APT41.
Besides that shift towards strategic intelligence collection, the other thing that's pretty cool
about APT41, or interesting, maybe not cool, but it seems
that they're deployed for tactical operations sometimes.
So we identified instances, for example, where they were targeting a hotel.
And because of their behavior, because of what they were targeting and going for reservations
information and PII at the hotel.
And the timing of that particular operation was that they were targeting this hotel just before a group of Chinese VIPs were staying at the exact same facility, indicating that they
were probably sent to reconnoiter the facility just before this visit. So that sort of like
tactical deployment we think is pretty unique to APT41, or at least definitely one of the first
instances of us observing it. Another instance, for example, they were targeting a news and media organization in Hong Kong.
And based on the timing of that particular operation, we think that it was related to
the umbrella movement protests that are happening at the time.
And we think that that particular campaign led to the identification of protesters that were associated with the movement.
And it ultimately led to those protesters being locked out of the political process as it was
developing in Hong Kong. So, these kind of, you know, really in the trenches kind of activities,
these kind of like tactical deployments stand in pretty stark contrast to the bigger, you know,
strategic intelligence collection, more typical espionage activity that we usually see with these Chinese groups. So if anything, A, it demonstrates how flexible this group is and
the wide variety of operations that they can be tasked against, but also B, the capability of
this operation to point their tools, point their TTPs, point their capabilities at so many different
kinds of activity and so many different kinds of taskings as required. Yeah, they're sort of the go-to team when something needs to get done. These may be the
folks that get sent out that can do it reliably. Right, and across a wide range of activity.
Our thanks to Nalani Fraser and Fred Plan from FireEye for joining us.
The research is titled APT41, a dual espionage and cybercrime operation.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening.