UPDATED 09:00 EST / OCTOBER 05 2021

SECURITY

BlackBerry links Chinese hacking group APT41 to previous campaigns

Ahead of its annual BlackBerry Security Summit, the BlackBerry Ltd. Research & Intelligence team today unveiled new research into Advanced Persistent Threat group 41, finding that it was linked to far more hacking campaigns than previously known.

APT 41, also known as Wicked Panda and Winti, is a Chinese state-sponsored hacking group that has previously been linked to a Chinese government intelligence agency. The group is prolific in its hacking activity and allegedly carries out espionage activities for the Chinese Communist Party and financially motivated activities outside state control.

The group has been in the spotlight several times over the last 18-months. In March 2020, FireEye Inc. detailed a global intrusion campaign being operated by APT41 using multiple exploits. These used phishing emails with malicious attachments and an initial infection vector. Having gained access, the group would then typically deploy more advanced malware to establish a persistent foothold.

The U.S. Department of Justice Members subsequently indicted members of the group in September 2020.

One previous commonality in those earlier APT41 attacks was using Cobalt Strike with a bespoke malleable command-and-control profile. Cobalt Strike is commercial penetration testing software that has become a favorite tool of hackers worldwide.

The BlackBerry researchers dug into past disparate malware campaigns where Cobalt Strike with malleable C&C was being used, not a particularly common hacking method. Perhaps not surprisingly, they found many previously unlinked attacks were attributable to APT41.

“The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims,” the researchers note. “And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.”

While digging around, the researchers also discovered new phishing lures targeting victims in India, containing information related to new tax legislation and COVID-19 statistics.

The messages targeting Indians masqueraded as being from Indian government entities. These lures were part of an execution chain and aimed to load and execute a Cobalt Strike Beacon on a victim’s network.

“With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure,” the researchers concluded. “And while no one security group has that same level of funding, by pooling our collective brainpower, we can still uncover the tracks that the cybercriminals involved worked so hard to hide.”

Image: Department of Justice

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU