Part 5 Comprehensive Guide to Advanced Persistent Threat (APT) Chinese Groups

APT41: A Prolific Chinese State-Sponsored Cyberthreat Group

APT41, a Chinese state-sponsored cyberthreat group, has been active since at least 2012. Here are some insights about their operations:

Targeting and Interests:

APT41 has targeted organizations globally, spanning various verticals such as travel, telecommunications, healthcare, news, and education. They often use phishing emails with malicious attachments as an initial infection vector. Once inside a target organization, they deploy more advanced malware to establish a persistent foothold.

Cobalt Strike Activity:

BlackBerry researchers have monitored APT41’s Cobalt Strike activity using a bespoke, malleable command-and-control (C2) profile. This unique C2 profile was previously documented by FireEye in March 2020 and attributed to APT41-related activity. By connecting overlapping indicators of compromise (IOCs), researchers uncovered additional APT41 infrastructure.

Recent Campaigns:

APT41 continues to conduct new campaigns, using phishing lures related to new tax legislation and COVID-19 statistics in India. These lures aimed to load and execute a Cobalt Strike Beacon on victims’ networks. The group adapts its tactics and remains active.

Global Intrusion Campaigns:

APT41 initiated an intrusion campaign using multiple exploits, revealing a high operational tempo and wide collection requirements. Their activities have included zero-day vulnerabilities such as the one in Log4j (CVE-2021-44207).

Airline Heist:

Group-IB researchers believe that the ColunmTK campaign against Air India was carried out by APT41.

U.S. State Government Networks:

APT41 successfully compromised at least six U.S. state government networks by exploiting vulnerable Internet-facing web applications. They leveraged a zero-day vulnerability in the USAHerds application (CVE-2021-44207).

In summary, APT41 combines espionage and financially motivated criminal activity, demonstrating their adaptability and persistence in the cyber landscape.

APT40:

Suspected Attribution: China.

Overview: APT40 is known for its illicit computer network exploitation (CNE) activities via the front company Hainan Xiandun Technology Development Company. For more details, refer to the U.S. Department of Justice indictment.

APT31:

Suspected Attribution: China.

APT31 is an active threat group with a focus on cyber espionage. They often use spearphishing as an initial compromise vector. Associated malware includes ASPXSHELLSV, BROKEYOLK, PUPYRAT, and more.

APT30:

Suspected Attribution: China.

APT30 has been active since at least 2012. They use a suite of tools for data theft, including downloaders, backdoors, and components to infect removable drives. APT30 frequently registers its own DNS domains for malware command and control (C2) activities.

APT27:

Suspected Attribution: China.

APT27 actors have used compromised accounts to send spear-phishing emails to other intended victims in similar industries.