APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.
Name: WICKED PANDA, APT 41 (FireEye), TG-2633 (SecureWorks), Bronze Atlas (SecureWorks), Red Kelpie (PWC), Blackfly (Symantec)
Location: China
Suspected attribution: Chinese state-sponsored espionage group
Date of initial activity: 2012
Targets: Healthcare, telecom, technology, and video game industries in 14 countries.
Motivation: Espionage, Surveillance
Associated tools: Acehash, CCleaner v5.33 backdoor, China Chopper, Dicey MSDN, HUC Proxy Malware (Htran), Mimikatz, PlugX, PowerShell Empire, RbDoor, Speculoos, Winnti.
Attack vectors: FireEye Threat Intelligence assesses with high confidence that APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.
Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely state-sponsored activity. This is remarkable because explicit financially motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests these two motivations were balanced concurrently from 2014 onward.
How they work: BRONZE ATLAS has been operating since at least 2007. CTU researchers assess with high confidence that the group’s intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors.
The group primarily use scan-and-exploit and phishing for initial access and enable their intrusions through theft of code signing certificates from technology and gaming organizations. CTU researchers have linked BRONZE ATLAS to targeted attacks on organizations in the pharmaceuticals, media, human rights, fossil fuels and agriculture sectors. The group has also been publicly linked to the high collateral supply chain compromises leveraging software updates for Ccleaner and Netsarang to compromise users in 2017. BRONZE ATLAS is also known as APT41, Axiom or Winnti in public reporting.
References:
- https://www.secureworks.com/research/threat-profiles/bronze-atlas
