The U.S. Department of Justice has indicted five Chinese nationals, two Malaysians and two Iranian nationals concerning alleged state-sponsored hacking campaigns.

The Chinese nationals and the Malaysians were alleged today to be linked to a hacking group known by various names in the cybersecurity community, including APT41, Wicked Panda and Winnti. Two of the defendants named in the indictment have been arrested in Malaysia, while five more remain at large at home in mainland China.

According to the indictment, the five Chinese nationals were behind computer intrusions affecting more than 100 companies and groups in the United States and abroad. Those targeted are said to include software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, nonprofit organizations, universities, think tanks and foreign governments as well as pro-democracy politicians and activists in Hong Kong.

The two Malaysians, described as businessmen, allegedly conspired with two of the Chinese hackers to profit from computer intrusions targeting the video game industry. The pair, Wong Ong Hua, 46, and Ling Yang Ching, 32, were arrested by Malaysian authorities in Sitiwan, Perak State, on Sept. 14. According to The Register, the pair operated storefronts where hacked goods were sold including character equipment and stolen in-game virtual currency.

The Chinese hacking group was linked to the Chinese government in a report published in May 2018. Attacks attributed to the group include a cyberattack on German drugmaker Bayer AG in April 2019 and a campaign targeting smartphone users with malicious SMS messages in October.

The two Iranians indicted by the Justice Department are alleged to have stolen hundreds of terabytes of data in a series of cyberattacks, often at the behest of the Iranian government. Targets included confidential communications pertaining to national security, foreign policy intelligence, nonmilitary nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research.

Hank Schless, senior manager, security solutions at mobile phishing firm Lookout Inc., told SiliconANGLE that the indictments indicate how malicious actors are diversifying their tactics. “In particular, breaching gaming companies to steal in-game items and currency for real-world profit rather than stealing corporate data means security teams need to be sure their efforts are well-distributed across both internal and external systems,” he said.

Zach Jones, senior director of detection research at application security provider WhiteHat Security Inc., noted that, as highlighted in the recent report from the Atlantic Council, the techniques allegedly used by the defendants — supply chain attacks and use of publicly known exploits in commercial and open source software — continue to be popular and powerful attack vectors.

“This case, one of hundreds known publicly over the past two decades, highlights the continued need for increased focus on securing the software that our digital lives depend on,” Jones added. “Organizations must increase their vigilance for vulnerabilities not only in their proprietary software but in the components they are composed of and the commercial software they operate to allow them to operate in the modern digital economy.”

Photo: Pxhere