APT41 stole COVID relief funds

Updated on 2022-12-29

German security firm DCSO has an IR report from a March 2021 APT41 intrusion where the Chinese espionage group tried and failed to deploy ransomware on the network of one of their victims (German company from the financial sector). Read more: APT41 — The spy who failed to encrypt me

Updated on 2022-12-07: APT41 stole COVID relief funds

The US Secret Service says that a Chinese hacking group known as APT41 has stolen more than $20 million in US government COVID-19 relief funds. The group’s activities were first highlighted in a Mandiant report published in August 2019. At the time, Mandiant said that while the group typically engages in cyber espionage for the Chinese government, its members were also moonlighting and dabbling in classic cybercrime operations for their own personal profits. Read more:

• APT41: A Dual Espionage and Cyber Crime Operation
• Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says

Updated on 2022-12-06

The Secret Service confirmed that the Chinese state-sponsored APT41 group stole over $20 million from U.S. COVID-relief funds, by targeting SBA loans and unemployment insurance funds in over 12 states. Read more: Prolific Chinese Hackers Stole US COVID funds

Updated 2022-10-19: Spyder Loader

Broadcom Symantec researchers said they spotted new attacks part of Operation CuckooBees. But unlike previous attacks, where this Chinese threat actor went after intellectual property, the new attacks targeted Hong Kong organizations with a version of the Spyder Loader malware. Read more:

• Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
• Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong

“The victims observed in the activity seen by Symantec were government organizations, with the attackers remaining active on some networks for more than a year. We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign.”

Updated 2022-10-18

China-linked APT41 has been targeting government organizations in Hong Kong as part of a campaign, dubbed Operation CuckooBees. This ongoing campaign has raked in hundreds of GB of information. Read more: Chinese ‘Spyder Loader’ Malware Spotted Targeting Organizations in Hong Kong

China does a funny and tries to pose as IntrusionTruth

Something weird and very cringe-worthy happened at the start of the week when over the course of two days, on Monday and Tuesday, a few hundred (obviously very botty-bot) Twitter accounts started pushing a dumb rumor that the APT41 cyber-espionage group was actually the US National Security Agency.

In addition, some accounts tried to reinforce this ridiculously braindead disinformation attempt by floating a rumor that US cybersecurity firm Mandiant also linked APT41 to the NSA, which is obviously not true. Read more: APT41: A Dual Espionage and Cyber Crime Operation

Some accounts posted in Chinese, others posted in English, while others even went as far as to try and pose as IntrusionTruth—a mysterious entity that has been doxing Chinese APTs for half a decade now—in an attempt to give legitimacy to their wacky theory.

In fact, after exposing some of their internal structure in a blog post back in July, IntrusionTruth seems to believe that it was APT41 itself who orchestrated this entire Twitter lameness. Read more: Chinese APTs: Interlinked networks and side hustles

Imitation is the sincerest form of flattery. #APT41 can’t seem to stop themselves from emulating our work. We must be doing something right. As the Chinese say – 见贤思齐 https://t.co/QgpbR6fpI8

— Intrusion Truth (@intrusion_truth) October 13, 2022

It appears that Chinese actors may be trying to up their active measures/disinformation game. Noteworthy: low quality, low reach—and self-defeating subtext. For if indeed Chinese then this only illustrates that Intrusion Truth actually bites. Also note @NSA_CSDirector's response. https://t.co/G8ApbY3SqL

— @[email protected] (@RidT) October 12, 2022

We call it lameness because anyone with a basic understanding and foothold in the cybersecurity industry saw through this in the first five seconds.

Obviously, this disinformation campaign wasn’t meant for the big-brains in the infosec industry, but because it was caught on early on and ridiculed into the ground, it was also almost immediately yeeted into the sun by the time of this newsletter, with the vast majority of the participating accounts being wiped clean. Read more: APT41 Alternative attribution Twitter Post

Archived some of these posts to help folks looking to investigate. Missing a few because API limits 🤷https://t.co/6nmUAhba0q https://t.co/cI8vpCYwRA

— Silas (@silascutler) October 13, 2022

All of this fits in some bizarre trend that we’ve observed this year from the Chinese government, which has been obsessed with painting the US government, and the NSA in particular, as some sort of Dick Dastardly of the cyber-espionage world, responsible for all sorts of bad things, like… spying. Because that’s obviously not what an intelligence agency does.

But trying to attribute your own operations to your adversary, despite quite obvious targeting and tooling differences, is some sort of brazen GigaChad move… that’s just on another level of stupid and incompetence.

For disinformation like this to work, there needs to be at least some sort of doubt about the information you’re trying to counter, and nobody believes that the NSA spent years spying on US government agencies and running a ransomware op as a side hustle.

Anyway, to whoever had this idea, thanks for the chuckles! T’was a boring week in infosec.

Updated on September 2022

The US Department of Health & Human Services has published a security alert about APT41, a Chinese state-sponsored threat actor with a track history of targeting healthcare organizations. Read more: APT41 and Recent Activity September 22, 2022

Updated on June 2022: Bronze Riverside and Bronze Starlight

Cybersecurity firm Secureworks said in a report on Thursday that two Chinese APT groups—Bronze Riverside and Bronze Starlight—have been engaging in a coordinated campaign to steal intellectual property from their victims and then deploying ransomware as a cover-up for their intrusions. Bronze Riverside, also known as APT41, has been focused on Japanese companies, in particular. Read more: BRONZE STARLIGHT Ransomware Operations Use HUI Loader

Updatd on March 2022

Chinese spies hacked a livestock app to breach U.S. state networks

China state-backed hackers known as APT41, a group known for espionage but also financial-driven cyberattacks, broke into at least six U.S. state government networks — in two of those cases by using zero-day vulnerability in a web software called USAHERDS, used by 18 states for tracking animal diseases. Other networks were targeted by the Log4j vulnerability, just hours after details of the bug were revealed in December. Mandiant has more in its findings. It’s not clear what data, presumably, the hackers were after. Several members of APT41 were indicted by U.S. prosecutors in 2020 after a spate of attacks across Asia and the West, but this most go-around shows clearly that hasn’t stopped them. The Register rounds up some of the other threat group activity from the week.

Read more in

• Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
• Cybersecurity firm says Chinese hackers breached six US state agencies
• Cow-counting app abused by China ‘to spy on US states’

Mandiant: APT41 Broke into US State Government Networks

According to a report from Mandiant, threat actors affiliated with the APT41 hacking group infiltrated networks at numerous US state governments using the Log4j vulnerability and bugs in a livestock app. Mandiant detected and tracked the groups activity between May 2021 and February 2022. APT41 is a Chinese state-sponsored espionage group.

Note

• APT41, based in China, was exploiting a zero-day flaw in the USAHerds application, taking advantage of hard-coded credentials, and has now added leveraging Log4j vulnerabilities to their access techniques. Acclaim released an update to the USAHerds application in November of 2021. If you’re running the application, make sure you applied the patch. While you’ve been addressing Log4j on your Internet facing systems, don’t lose sight of it on your internal/trusted systems.

Read more in

• Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
• Chinese Spies Hacked a Livestock App to Breach US State Networks
• Cow-counting app abused by China ‘to spy on US states’
• Log4j and Livestock Apps: APT41 Wages Persistent Cyberattack Campaign on US Government
• Within hours of the Log4j flaw being revealed, these hackers were using it
• APT41 Spies Broke Into 6 US State Networks via a Livestock App

Ni Hao Brown Cow (Or, 你好马 lol)

APT41 used a vulnerability in the USAHerds animal health management web application to compromise at least six US state governments, Mandiant reports. Giddy up!

Mandiant also says APT41 has developed a Linux version of the KEYPLUG backdoor it has been using to target Windows environments. This version is now being deployed via Log4Shell into Linux environments. Mandiant also noticed APT41 had “substantially increased” use of Cloudflare services for command and control and data exfiltration.

APT41 is a prolific Chinese cybercrime and espionage group with a history of significant supply chain compromises including the Ccleaner and ASUS attacks. It is not clear what interest it has in US state governments.

In other Mandiant-related news, it’s just been bought by Google. Hopefully Mandiant maintains its robust track record of unveiling state hacking groups, although we worry that this isn’t compatible with Google’s approach.