Home>Blog>The Hacker News Headlines>China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year
The Hacker News Headlines

China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year

China-backed APT41

The Chinese advanced persistent threat (APT) actor tracked as
Winnti (aka APT41) has targeted at least 13 organizations
geographically spanning across the U.S, Taiwan, India, Vietnam, and
China against the backdrop of four different campaigns in 2021.

“The targeted industries included the public sector,
manufacturing, healthcare, logistics, hospitality, education, as
well as the media and aviation,” cybersecurity firm Group-IB
said[1]
in a report shared with The Hacker News.

CyberSecurity

This also included the attack on Air India that came to light in
June 2021 as part of a campaign codenamed ColunmTK[2]. The other three
campaigns have been assigned the monikers DelayLinkTK, Mute-Pond,
and Gentle-Voice based on the domain names used in the attacks.

APT41, also known as Barium, Bronze Atlas, Double Dragon, Wicked
Panda, or Winnti, is a prolific[3]
Chinese[4]
cyber threat group[5]
that’s known to carry out state-sponsored espionage activity in
parallel with financially motivated operations at least since
2007.

APT41 Hackers

Describing 2021 as an “intense year for APT41,” attacks mounted
by the adversary involved primarily leveraging SQL injections on
targeted domains as the initial access vector to infiltrate victim
networks, followed by delivering a custom Cobalt Strike beacon onto
the endpoints.

“APT41 members usually use phishing, exploit various
vulnerabilities (including Proxylogon), and conduct watering hole
or supply-chain attacks to initially compromise their victims,” the
researchers said.

Other actions carried out post-exploitation ranged from
establishing persistence to credential theft and conducting
reconnaissance through living-off-the-land (LotL) techniques to
gather information about the compromised environment and laterally
move across the network.

CyberSecurity

The Singapore-headquartered company said it identified 106
unique Cobalt Strike servers that were exclusively used by APT41
between early 2020 and late 2021 for command-and-control. Most of
the servers are no longer active.

The findings mark the continued abuse[6]
of the legitimate adversary simulation framework by different
threat actors for post-intrusion malicious activities.

“In the past, the tool was appreciated by cybercriminal gangs
targeting banks, while today it is popular among various threat
actors regardless of their motivation, including infamous
ransomware operators,” Group-IB Threat Analyst, Nikita Rostovtsev,
said.

References

  1. ^
    said
    (blog.group-ib.com)
  2. ^
    ColunmTK
    (thehackernews.com)
  3. ^
    prolific
    (thehackernews.com)
  4. ^
    Chinese
    (thehackernews.com)
  5. ^
    cyber
    threat group     (thehackernews.com)
  6. ^
    continued abuse
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.