The US government has filed charges today against five Chinese nationals for hacking into more than 100 companies across the world, part of a state-sponsored hacking group known as APT41.
According to court documents unsealed today, US officials said the group has hacked software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, healthcare, non-profit organizations, universities, think tanks, from where they stole proprietary source code, code-signing certificates, customer data, and valuable business information.
Victim companies resided in countries such as the US, Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.
US officials said APT41 members also compromised foreign government computer networks in India and Vietnam, as well as pro-democracy politicians and activists in Hong Kong. Attacks against the UK government were also executed but were not successful.
The APT41 group is one of today’s most infamous and most active state-sponsored hacking groups. ATP41’s operations were first detailed in their full breadth in a FireEye report published in August 2019, with the report linking the group to some of the biggest supply-chain attacks in recent years, and to older hacks going to as early as 2012.
At the time, the report was also ground-breaking, as FireEye researchers revealed how the group conducted both cyber-espionage for the Chinese regime but also intrusions for personal financial gain, usually executed outside normal working hours. Most of these side-hacks usually targeted gaming companies, from where the hackers stole source code or in-game digital currency.
In some cases, APT41 was also spotted deploying ransomware and installed malware that mined cryptocurrency for the group’s members. While it’s unknown how many of these incidents have occurred, the DOJ named one victim of a ransomware attack as “a non-profit organization dedicated to combating global poverty.”
Five Chinese nationals indicted
According to court documents obtained by ZDNet, the indictments came in two waves but were unsealed today. The first two APT41 members were identified and charged in August 2019, following the FireEye report. According to a copy of the 2019 indictment, these charges stemmed from allegedly hacking high technology and video gaming companies, and a United Kingdom citizen. The two suspects were identified as:
- Zhang Haoran (张浩然), 35
- Tan Dailin (谭戴林), 35
Three more APT41 members were charged in a separate indictment filed last month, in August 2020. These three were charged with most of the APT41 intrusions.
- Jiang Lizhi (蒋立志), 35
- Qian Chuan (钱川), 39
- Fu Qiang (付强), 37
US officials said the three were employees of Chengdu 404 Network Technology, a front company that operated under the close supervision of PRC officials. Court documents also revealed that US officials intercepted online chats between Jiang and other Chinese hackers, conversations where Jiang touted knowing and operating under Gong An, a high-ranking official in the Chinese Ministery of Public Security.
All five APT41 members remain at large, and their names have been added to the FBI’s Cyber Most Wanted List.
In addition, two Malaysian businessmen were also charged for conspiring with two of the APT41 members to profit from intrusions at video game companies. The two were arrested on Monday, September 14, by Malaysian authorities in the Malaysian city of Sitiawan.
According to court documents, the two have been identified as Wong Ong Hua, 46, and Ling Yang Ching, 32, owners of Sea Gamer Mall, a website that sold digital currency for various online games — a currency that US officials believe was sometimes provided by APT41 members illegally, following intrusions at gaming companies.
In a live-streamed press conference today, FBI Deputy Director David L. Bowdich, said the Bureau is currently seeking the extradition of the two Malaysian businessmen to the US, to face their charges.
The FBI, which spearheaded the investigation, also obtained a court warrant earlier this month and seized “hundreds of accounts, servers, domain names, and command-and-control (C2) ‘dead drop’ web pages” used by APT41 in past operations.
Third Chinese state hacking group disrupted by US officials since 2017
The arrests today are part of a larger US crackdown against Chinese cyber-espionage and theft of intellectual property from US companies. US authorities previously charged three other Chinese hackers in November 2017 (believed to be part of Chinese hacker group APT3) and two other hackers in December 2018 (believed to be part of Chinese hacker group APT10).
Earlier this year, the FBI said it was investigating more than 1,000 cases of Chinese theft of US technology.
“Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and coordinated private sector protective actions reveal yet again the Department’s determination to use all of the tools at its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,” said Assistant Attorney
General John C. Demers.
“Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China,” added Deputy Attorney General Jeffrey A. Rosen.