APT41 – The Spy Who Encrypted Me.
This case study is based on our most recent investigation into one of APT41’s operations against a major global nonprofit organization. Our client contacted us at the end of March 2020 after discovering the ransom notes…
LIFARS evidence from forensic investigation was used in criminal indictment:
When a nation-state actor becomes a cybercriminal (and vice-versa).
This could be the beginning of an action or a cloak-and-dagger movie. It is unfortunately the actor we faced in some of our recent cases: APT41 is a threat actor that seems to be both nation-state and cybercriminal, engaging in espionage or industrial espionage and also in extortion by using ransomware attacks.
As cybersecurity specialists, finding that an attack we are investigating ties to an APT group is always a major indication: given the resources nation-states can put in these groups, anything and everything is possible.
Since the end of March 2020, we have encountered cases that bear the hallmarks of such actors. More specifically, of a threat actor that behaves from time to time as a nation-state and from time to time as a cybercriminal.
An advanced persistent threat (APT) is, typically, either a nation-state actor and aims at benefiting its state through sabotage, espionage, or industrial espionage; or a cybercriminal and its aims are to steal money through theft, fraud, ransom or blackmail.
One of such “dual faced” groups is the Chinese-based group APT41: known for both financially-motivated and state-sponsored campaigns, its origins date back to as early as 2012, when it targeted the video game industry. Its most famous action was to steal digital certificates from compromised victims, certificates that were then used to sign and implant malware on victims’ networks later leveraged to run state-sponsored campaigns.
Our recent cases have put us against this threat actor.
The present Case Study shows some of the highlights of our first investigation in which APT41’s involvement was impossible to deny. The Case Study also provides the indicators of compromise (IOC) we gathered in the process.
More cyber indictments cases where arrest warrants have already been issued:
- Case Study – APT10, Cloud Hopper, Plugx & RedLeaves
DOJ Office of Public Affairs » News » Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information
- Whitepaper – LIFARS investigation uncovering the xDedic Market.
DOJ Office of Public Affairs » News » The xDedic Marketplace, A Website Involved In The Illicit Sale Of Compromised Computer Credentials And Personally Identifiable Information, Shut Down
- Advanced Persistent Threat (APT) Lazarus’ Latest Campaigns
DOJ Office of Public Affairs » News » North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions
- SamSam Ransomware
DOJ Office of Public Affairs » News » Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses
- FBI Deputy Director David Bowdich’s Remarks at Press Conference on China-Related Cyber Indictments
- Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally
Does Your Company Have a Data Breach Plan?
Learn why it is so important to safeguard your customer data and protect your brand.