For more than a decade, hackers working on behalf of the Chinese government have brazenly pursued advanced cyber intrusions on technology companies, with a particular focus on those that market software, such as CCleaner, role-playing games, and other types of games. On Wednesday, US authorities fired back, charging seven men allegedly backed by the Chinese government for carrying out a string of financially motivated hacks on more than 100 US and overseas organizations.
US prosecutors said the men targeted tech companies with the aim of stealing software-signing certificates, customer account data, and valuable business information, all with the tacit approval of the Chinese government. Working for front companies located in China, the defendants allegedly used the intrusions into game and software makers for money laundering, identity theft, wire and access device fraud, and to facilitate other criminal schemes, such as ransomware and cryptojacking schemes.
According to one of three indictments unsealed on Wednesday, defendant Jiang Lizhi boasted of his connections to China’s Ministry of State Security and claimed it provided him with legal protection “unless something very big happens.” Jiang’s business associate, Qian Chuan, allegedly spent the past 10 years supporting Chinese government projects, including development of a secure cleaning tool to wipe confidential data from digital media.
Along with a third man, Fu Qiang, the men worked for and were officers of a China-based firm called Chengdu 404 Network Technology Co. Ltd. The company publicly described itself as a network security company, composed of elite white-hat hackers who provided penetration testing, password recovery, mobile device forensics, and other defensive services. Chengdu 404’s website said that customers include “public security, military, and military enterprises.” The company’s front desk is pictured below.
“However, in addition to any purported ‘white hat’ or defensive network security services which it provided, Chengdu 404 was also responsible for ‘offensive’ network security operations,” prosecutors wrote. “That is to say, Chengdu 404 employees and officers including Jiang, Qian, and Fu committed, and conspired to commit, criminal computer intrusion offenses targeting computer networks around the world, including, and as described further herein, over 100 victim companies, organizations, and individuals in the United States and around the world, including in South Korea, Japan, India, Taiwan, Hong Kong, Malaysia, Vietnam, Pakistan, Australia, the United Kingdom, Chile, Indonesia, Singapore, and Thailand.”
Two other men, Zhang Haoran, 35, and Tan Dailin, 35, allegedly participated in a “computer hacking conspiracy” that targeted tech companies in a scheme to launder money, steal identities, and commit wire fraud. Prosecutors said in a second indictment that the men participated in a “video game conspiracy” with the purpose of hacking video game companies and obtaining game currency or other data of value and selling them at a profit. The men also used these hacks to pursue cyber intrusions on unrelated targets, the indictment said.
Crooks and spies unite
The five defendants—along with two Malaysian nationals, Wong Ong Hua, 46, and Ling Yang Ching, 32, named in a third indictment—were tracked down using research data on APT41, short for advanced persistent threat No. 41. The group, which researchers say has close ties to Chinese government espionage programs, goes by many other names, including Winnti, Barium, Wicked Panda, and Wicked Spider.
By analyzing command servers, attack tools, and other data belonging to the group, researchers have determined it was behind a string of high-profile breaches, including the 2017 and 2019 supply chain attacks on CCleaner and Asus that seeded their updates with malware. Earlier this year, security firm Eset said, the group was behind hacks on multiple game makers. While company researchers didn’t identify the targets, they said the hacks used signing certificates stolen from Nfinity Games during a 2018 hack of that gaming developer.
Wednesday’s indictments illustrate the dual roles played by some hackers who work in cooperation with, or on behalf of, the Chinese government. In exchange for hackers providing the government with espionage data that helps track dissidents or organizations of interest or steal intellectual property, the government agrees to turn a blind eye to the money-motivated attacks pursued against companies not affiliated with Chinese national interests. Security firm Mandiant, which has closely tracked APT41 for years, published this detailed report last year.
In an email sent on Wednesday, Mandiant senior director of analysis John Hultquist summarized the relationship this way:
APT41 has been involved in several high-profile supply chain incidents which often blended their criminal interest in video games with the espionage operations they were carrying out on behalf of the state. For instance, they compromised video game distributors to proliferate malware which could then be used for follow-up operations. They have also been connected to well-known incidents involving Netsarang and ASUS updates.
In recent years they have focused heavily on telecommunications, travel, and hospitality sectors, which we believe are attempts to identify, monitor, and track individuals of interest, operations which could have serious, even physical consequences for some victims. They have also participated in efforts to monitor Hong Kong during recent democracy protests.
Though much of the intellectual property theft connected to this actor has declined in favor of other operations in recent years, they have continued to target medical institutions, suggesting they may still have an interest in medical technology.
Intelligence services leverage criminals such as APT41 for their own ends because they are an expedient, cost-effective, and deniable capability. APT41’s criminal operations appear to predate the work they do on behalf of the state and they may have been co-opted by a security service who would have significant leverage over them. In situations such as this, a bargain can be reached between the security service and the operators wherein the operators enjoy protection in return for offering high-end talent to the service. Furthermore, the service enjoys a measure in deniability when the operators are identified. Arguably, that is the case right now.
The hammer drops
Wong and Ling were arrested on Monday. The remaining defendants aren’t likely to be seized as long as they stay in China or other countries that don’t have extradition treaties with the United States. Still, the warrants for their arrest mean that they can’t travel widely throughout the world without risking being detained and tried for their alleged crimes.
Besides the arrests and arrest warrants, the federal government this month seized hundreds of accounts, servers, domain names, and booby-trapped webpages the defendants allegedly used to conduct their intrusions. Microsoft played a significant role in taking down the operations by implementing technical measures that blocked them from accessing victims’ computers. Several other companies that weren’t identified also provided assistance by disabling attacker-controlled accounts for violations of their terms of service.
Two of the APT41 hallmarks are its organizational skills and the ability to effectively use software exploits to gain unauthorized access to targeted networks. The ability to steal signing certificates from one victim and use them to attack new targets is an example of the first. Its talent in using exploits is born out by the breadth of exploits prosecutors laid out in Wednesday’s indictments. Six of them—indexed as CVE-2019-19781, CVE-2019-11510, CVE-2019-16920, CVE-2019-16278, CVE-2019-1652, and CVE-2019-10189—targeted a diverse set of products, from network VPNs to Web server software, to Internet-of-things devices. Many such devices remain unpatched weeks or even months after updates become available.
Did we mention Iran?
The unsealing of the indictments came a day after federal prosecutors filed an indictment against two Iranian nationals also accused of hacking into US networks and stealing data to both financially profit and support the Iranian government. That action came around the same time prosecutors unsealed an indictment charging two Russians with engaging in a $17M cryptocurrency phishing spree.
Members of the law enforcement and security industries continue to debate just how significant moves like Wednesday’s, against the alleged APT41 hackers, are. The defendants who remain at large aren’t likely to curtail their alleged operations, and APT41 likely won’t need long to rebuild the infrastructure that was taken down. Through that prism, it’s easy to see the move as little more than a game of whack-a-mole.
The counterargument is that law enforcement and private sectors are getting better at coordinated strikes that significantly disrupt operations, even if only temporarily. Besides the disruption, the action also gets the attention of Chinese government officials and sends the message that the impunity China-sponsored hackers enjoy isn’t absolute.