Chinese hacker group APT 41 has been in the news for multiple instances of cyberattacks, espionage, cyber piracy, and cybercrimes for at least a decade now. In 2022, however, APT 41’s activities have expanded significantly to net more data and geo-political leverage for its backers. This trend does have implications for governments and institutions of economic significance in various countries as they will now be targeted with multi-tactic and multi-platform tactics that will not just be hard to detect but hard to counter as well.
Table of Contents
While APT 27 the other Chinese APT group is now more or less focused on Taiwan and quite open (and vocal) with its threats, APT 41 has adopted an entirely different doctrine towards cyber espionage.
Understanding APT 41’s information gathering approach rests on:
- Gathering critical information on a target through sporadic yet persistent episodes of breach
- Deploying malware that remains unannounced on networks, conduct reconnaissance lasting over 200 days at a stretch
- Leverage Zero Days to hijack assets while keeping the hack a secret to be leveraged during a crisis or geopolitical confrontation
- Modifying TTPs constantly to evade detection
- Sharing harvested data with other groups including APT27 for further mining and exploitation
- Rapid targeting of entities using primary breach and using data mopped up from the Dark Web and dead drops. APT 41 is among the fastest APTs. It can roll out an attack on a new target in less than 24 hours after being instructed to do so.
- Focused and adaptive strategy to create breaches in networks of interest. It doesn’t shy away from tapping telecom networks for obtaining confidential data for targeting specific entities
- There is a large repository of data collected by this group that is repurposed for launching attacks. This includes databases with login and access credentials
- Remote malware assembly and dissemination is another capability that APT 41 uses to deploy malware. SQL injection in websites with weak security is a common tactic this group uses.
- Targeting governments and industry associations to collect data for subsequent cyberattacks.
APT 41 has been focusing a lot on intercepting government conversations, high-tech research, and select targets using spear phishing, listening, water holes, RATs and backdoors, and communication chain attacks. The group specializes in attacks on large and tough-to-breach targets including telcos and defense projects. Its training regimen includes making trainees start their stint with APT 41 with first-level attacks on select Taiwanese targets. They are then deployed on select projects across South and South-East Asia.
The group is also known to pursue subtle monetization options and has been known to sell stolen IP in closed forums through intermediaries. What APT 41 does with the money it earns is not fully known. While North Korean Lazarus is known to hand over its earnings to the government, some part of APT 41’s revenues may be shared with their handling agency within the Chinese government.
The economic threat from APT 41
The rising activity levels of APT 41 will eventually lead to an economic impact on various countries where its targets reside. APT 41 can theoretically connect attacks across critical infrastructures to create a single attack wave that causes business shutdowns, and exfiltration of confidential economic information including impending regulations or data that could lead to lowering of sentiment in the stock markets and pressures on the currency of countries.
This wave could also degrade the ability of a nation to respond to an economic or military threat or an internal disturbance. Overall, such a destabilization could impact not just the target country but the region and many multilateral institutions as well.
If the past attacks of APT 41 are anything to go by this group is being prepared for attaining much larger objectives of the government agencies that they report to. The long-term stealthy intervention-driven network, communications, and asset reconnaissance point to a larger game plan.
Connect with Sectrio’s Cybersecurity Awareness Month initiatives to learn more about APT 41 and other threat actors.
Want to learn more about OT and ICS security tactics and strategies? Speak to an OT security expert.
Find out what is lurking in your network. Go for a comprehensive 3 layer threat assessment now
See our OT security solution in action. Sign up for a free demo now.
Get your free threat intelligence feeds here.
Understanding APT 41’s information gathering approach in 10 steps