The fuzzy boundaries of APT41.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word from our sponsor, Juniper Networks. Join Juniper at NXTWORK 2019 to learn, share, and collaborate with game-changers from companies across the networking industry. This year's event features keynotes from Juniper executives, as well as special guest speaker Earvin "Magic" Johnson, along with over forty breakouts and master classes led by distinguished engineers, as well as various opportunities for certification testing and training. Visit juniper.net/nxtwork for more information. That's juniper.net/nxtwork. And we thank Juniper for sponsoring our show.
Dave Bittner: [00:01:05] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Nalani Fraser: [00:01:49] So, we have been tracking this group for a very long time.
Dave Bittner: [00:01:52] That's Nalani Fraser, Senior Manager of the Advanced Analysis Team for FireEye Threat Intelligence. She's joined by Fred Plan, a Senior Analyst on FireEye's Cyber Espionage Threat Intelligence Team. The research we're discussing today is titled, "APT41: A Dual Espionage and Cyber Crime Operation."
Nalani Fraser: [00:02:10] Starting in about 2012, APT41 is a Chinese state-sponsored espionage group that conducts financially motivated activity as well for personal gain.
Dave Bittner: [00:02:22] So, there are some unique things about APT41. From the outset, there's some things that sort of set them apart from some other groups, particularly Chinese groups. Can you take us through – what are some of the things that make them unique?
Fred Plan: [00:02:34] One of the big distinct things about APT41 is the fact that it's conducting both financially motivated cybercrime operations alongside and simultaneously with the cyber espionage campaigns. So, usually with the Chinese espionage groups, they tend to do just the nation-state stuff. If they're doing anything on the side, it's quite a bit separate. But in the case of APT41, there's a lot of overlap between these two worlds within a single group. So, that includes the timing – they're conducting both the financially motivated activity as well as the espionage activity often on the same day, and long-running campaigns running at the same time – but also in terms of the tools they're using. So, they're using tools that are used by pretty much every other Chinese espionage group only for espionage stuff. But APT41 will use those same tools also for the financially motivated stuff. So it's pretty unique to this particular group.
Dave Bittner: [00:03:29] Yeah, that's really interesting. And the report goes into some details about how it seems as though they may have gotten their start going after the video game industry?
Fred Plan: [00:03:38] Yes, that's right. So, we think that this group – they have a strong personal interest in the video game industry, and a lot of what they are doing in the financially motivated world is targeted against the video game industry. So a lot of their earlier operations are concentrated against not just video game studios and developers, but also payment platforms and online forums and other related services that are part of the world of video gaming. And a lot of the operations that they're conducting and how they're conducting these operations – the TTPs – will often emerge first in their targeting of video game organizations and then later kind of bleed over into the espionage activities that they're also doing.
Dave Bittner: [00:04:23] Does this lead to any speculation that, you know, they got their start doing non-government type of work and perhaps they caught the government's eye and they said, hey, you guys are doing some interesting work here – how'd you like to come work for us? Is that a possibility or is that just purely speculative?
Nalani Fraser: [00:04:38] It is a possibility, and in fact, we have research dating back to at least 2005, indicating that individuals who were responsible for this activity were advertising hacker-for-hire services. So they were saying they were available for hacking into system networks, and we believe that that was probably in a contractor capacity.
Dave Bittner: [00:05:01] Well, let's walk through the research together. Take me through – who does it seem as though they're targeting?
Nalani Fraser: [00:05:07] Sure. So, they have targeted a wide range of industries since at least 2012. So, on the espionage side, we've seen them target healthcare and high-tech media, travel organizations – really gathering intelligence, which would be aligned with China's Five-Year economic development plans. And then, as Fred mentioned, we have seen them also target video game organizations for primarily financial gain.
Dave Bittner: [00:05:35] And where are they targeting? Are there specific geographic areas that it seems as though they're hitting?
Fred Plan: [00:05:40] They aren't really geographic specialists. It's more of they'll target particular organizations they're focused on regardless of where they are. So, there's a tendency, for example, with the healthcare targeting, to be concentrated in, say, Western Europe or East Asia, but that's not because of the region, but because that's where that particular industry happens to be. So, APT41 is definitely region-agnostic, if that's the term.
Dave Bittner: [00:06:04] It's interesting to me, looking through your research, how their activities have shifted over time. It's one of the things you track here. Can you walk us through – what are some of the changes that you've seen them make?
Fred Plan: [00:06:14] There's kind of a split in the consistency along the financially motivated activity and the espionage activity. So, on the financially motivated side, that's been pretty consistent with targeting the video game industry, for example. There's just kind of an escalation of the different tactics that they'll use against a particular industry, and so we usually use that as an example of their growth or their growing maturity, at least in terms of their cybercrime activity.
Fred Plan: [00:06:35] For the espionage stuff it's a little different. That one has changed a lot over time, and we have a chart in the report which shows how these industries that they're targeting kind of pop back on and fall back off. And we think that kind of inconsistency, or the big shifts in their activity, is consistent with them being a contractor. So, maybe this group is – you know, they're contracted to target healthcare for a year or two, and then that contract either ends or they move off of it, and they contract over to targeting the high-tech sector, for example, and then they'll get off of that and target something else. At least in terms of espionage activity, their targeting is a lot less consistent, at least compared to their financially motivated operations.
Dave Bittner: [00:07:14] Yeah, it was interesting too – one thing that caught my eye in the research was this notion of them moving towards strategic intelligence collection and away from intellectual property theft. I think a lot of us, when we think of the activities of the Chinese, we think about intellectual property theft. But your reporting here shows that there may be a shift away from that.
Nalani Fraser: [00:07:34] Yeah, since about 2015, we've noticed just overall a shift away from intellectual property theft. They have still been targeting organizations and different organizations that would be in industries of interest for intellectual property, but we actually haven't seen that IP theft. So that brings up interesting questions about are they gaining intelligence through other means? But we have seen continued interest in strategic intelligence collection – so, targeting of telecom organizations, for example, targeting call data records and SMS records of interest to the Chinese government.
Dave Bittner: [00:08:13] Yeah, one of the sections in the report discusses the cyber espionage activity, and you mention China's "Made in China 2025" plan and how their activities seem to align with that plan.
Nalani Fraser: [00:08:24] Sure. That is something that we've seen specifically in the medical device industry, for example. China's "Made in 2025" plan is pretty specific in the fact that China is really trying to reduce their dependence on importing medical device technology, and so one way to do that is to take that technology and develop it on their own.
Dave Bittner: [00:08:45] Yeah, let's dig into some of the case studies that you've outlined here in the report. We said at the outset that it seems as though these folks had an interest in video gaming. What sort of things did you find in terms of their targeting of that part of the industry?
Fred Plan: [00:08:59] So, for the video gaming stuff, this is the sector that I like to talk about the most, as the most indicative or provides the best examples of their growth and maturity over time. So, the earliest activity that we saw being conducted by the APT41 actors is pretty low-level, pretty basic to start with. It's things like their activity on different, like, very Chinese market-specific video games. Their discovery of different ways to bend the rules in different games and targeting some sort of, like, third-party services that are related to those types of games specifically.
Fred Plan: [00:09:35] And then over time, this expands. So, we start seeing it targeting other games that are popular throughout the East Asian region in particular. And we see this start escalating to other types of monetization activity. So, that will include things like targeting the real money transaction platforms that let people buy things with real-life money for converting into in-game value. That includes targeting these specific systems that track how much virtual currency a particular account has. So, they would be straight-up generating virtual currency and then transferring that to their own actor-controlled accounts, and basically money laundering within the game platform itself. And that even escalated to the point where they were even deploying ransomware on different video game studios' servers. So, you could see definitely there's this growth in different tactics, and the growth of the sophistication of these tactics over time.
Fred Plan: [00:10:32] The big thing that we were trying to highlight in the report is how APT41 – how they developed the ability to very successfully navigate through any targeted system that they wanted. So, in the video game industry, what they were doing was initially getting into a targeted network and then moving laterally around until they could reach the production environment, or where a video game studio or developer builds the next expansion to a game or the next game. So, once they reached that environment, that really gave APT41 access to anything they wanted within the game environment, right? So, it gives them insight into what the newest games are coming out, it gives them insight into how the games are put together or how they operate internally and how they interact with other systems that are set up by the video game company.
Fred Plan: [00:11:22] And reaching that production server puts them in a position to do any number of things. So, the primary things being injecting their own code into legitimate game updates and files. Also, it put them in a position to access the video game companies' digital certificates, right? And so, their own injected code could then be used and be signed by legitimate digital certificates. And of course, that lends itself quite easily then to supply chain compromises. So that's where – this industry is where we saw APT41 initially conducting supply chain compromises. Again, that's – they would have access to legitimate files or game updates, they would be able to inject their own code, including backdoors or Trojans, into these legitimate updates, and then these would be pushed out, and after being signed by legitimate digital certificates. They would be pushed out to all the users, and now APT41 is in a position to compromise pretty much the entire user base of these particular games.
Fred Plan: [00:12:26] And so, once they started doing that within the video game industry, they were able to apply a lot of these lessons and a lot of these exact same TTPs to other software companies. And so that's why we saw these kind of supply chain compromises being conducted and leveraging the software updates for other software companies.
Dave Bittner: [00:12:44] Is it fair to say that one element of APT41 is the breadth of tools and techniques they have at their disposal? That they come at things from a lot of different directions and seem to have success doing it?
Nalani Fraser: [00:12:55] Yes, that's fair to say. APT41 has a very large toolset – more than some of the other threat groups that we track. We noticed that APT41 has over forty-six different malware families. Some of them are shared with other Chinese espionage groups and some of them it looks like they have developed on their own.
Dave Bittner: [00:13:14] Yeah, it's interesting – one of the things that you track here are the overlaps between the espionage and the financial operations. I guess it's not unusual to see folks in this line of work doing some freelancing – we certainly hear of that – but it seems like in this case maybe they've taken that to the next level in terms of the amount of crossover between the tools that they're using and when they're doing it.
Nalani Fraser: [00:13:38] Sure. It is fascinating that they're using state-sponsored espionage tools in their own missions. And that really begs the question, is the Chinese government aware that they're doing these moonlighting missions using state-sponsored tools? And if so, are they OK with that? It's something that we really took a deep dive and really made sure that the attribution was right, because we were baffled that activity was actually happening.
Dave Bittner: [00:14:06] And you, with high confidence on your own end, you're convinced that it is indeed going on.
Nalani Fraser: [00:14:10] Correct. And it's something that we conferred with our counterparts as well, to make sure that other organizations had come to the same conclusion.
Dave Bittner: [00:14:19] Yeah, it's a really fascinating aspect of this, different from what we see with a lot of other groups. Now, one of the things you cover here are the potential links to other Chinese espionage operators. Do you see much crossover? Are they working with other groups?
Fred Plan: [00:14:34] I mean, we definitely have indications that there's at least a lot of resource sharing between these groups. And that's part of what's made APT41 really hard to define from the other public reporting that's related to this group. There's a lot of tool overlap, especially regarding a tool that is publicly reported as Winnti, or Win-N-T-I. So, at FireEye we refer to that tool as HIGHNOON, and it's got many, many different variants. And for a long time, that tool was believed to be exclusive to a single group. And that was one of the big driving forces behind us defining APT41 the way we did, actually, was that it was clear to us that that particular tool was not exclusive to a single group, and that it was shared across multiple clusters of activity in a way that a lot of the public reporting wasn't really emphasizing, or they were kind of glossing over this fact. And that was creating a lot of attribution problems and a lot of problems for defining what exactly belonged in this group and how it behaved.
Fred Plan: [00:15:30] And so the big overlap, we would say, would probably be between APT41 and APT17. That particular operation, APT17, is also referred to sometimes as Tailgator or Deputy Dog, as well as any number of other public names. But collectively, a lot of times it's all lumped together all as Winnti, and it makes it really tough to determine what's relevant to one customer or another, or how best to give information to a network defender in a way that's relevant to them in their particular industry. Yeah, so besides the malware overlap, there's also overlap with the digital certificates. There's also overlap with the particular industries that they're targeting, the timing of particular operations. And those are all things that we have to consider when we began to harden the boundaries around what we were going to call APT41.
Dave Bittner: [00:16:15] So, what are the take-homes from here, in terms of folks protecting their own networks, being cautious about knowing that APT41 is out there and the things that they're up to? What sort of recommendations do you have?
Fred Plan: [00:16:28] At least from my perspective, the thing that is really interesting to me about APT41 is – and this was a point of disagreement when we were writing this – like, this kind of mismatch between the operations capabilities and what it actually chooses to use. So, a lot of this comes out to, I guess, awareness. This is ultimately the point here. So, what I mean is this is a group that has this enormous library of tools and they've got a ton of malware available to them, both public and private, both shared and not shared, as well as some tools that are exclusive to themselves. And they've demonstrated this enormous array of techniques and procedures that they're willing to pull out.
Fred Plan: [00:17:05] But what's interesting is they don't really dig deep into their bucket of tools, you know, they don't really go deep into their arsenal unless they have to. And so the demonstrated range of sophistication is highly variable from one victim to the next. And I think that's been really interesting about it. So, like, you know, at one organization, for example, they'll just use, like, a simple spearphish, and then they'll get in and they'll just use publicly available tools, and then that's good enough to achieve what they want.
Fred Plan: [00:17:32] But then at another organization, you know, they'll rely on an extremely complex supply chain compromise, and they rely on whitelisting, and then they'll deploy, like, a completely different set of tools than they would anywhere else. And clearly they have the capability, but they'll only use it for, like, you know, the most special selected victims or the most high-value targets. And so, discipline is a really good word for it – like, self-restraint, you know?
Dave Bittner: [00:17:56] Mm-hmm.
Fred Plan: [00:17:56] And part of it is probably them trying to obfuscate their full capabilities or trying to hide their full range of tools.
Dave Bittner: [00:18:07] Mm-hmm.
Fred Plan: [00:18:07] But yeah, that level of self-discipline, to be able to do that, I think that's a key characteristic of APT41's operations.
Dave Bittner: [00:18:15] Nalani, what is your take on them?
Nalani Fraser: [00:18:17] So I think, you know, despite their sophistication – we know they're a very sophisticated group, they have a ton of malware in their toolset – their initial infection vector into a lot of victims is spearphishing. And so if you can do that security training upfront with all of your users to make sure that they're identifying potential spearphishing and reporting it, then you can potentially get ahead of the actual infection, or at least stopping it early in their tracks. Because we know that once they get into the environment, they're very quickly moving. And once they compromise, they can quickly move out throughout the environment, compromising multiple locations across geographic regions. So if you can respond quickly to the investigation, you have a higher chance of making sure that you're responding appropriately.
Fred Plan: [00:19:07] Definitely easier to keep them out than try to root them out once they're in.
Dave Bittner: [00:19:11] Yeah, that's a really interesting insight. I mean, I guess they're – you know, these folks are well-funded, it seems as though they're patient, they're persistent, and they have a range of tools that they can draw from.
Nalani Fraser: [00:19:23] Correct. I think the move towards telecoms is a really interesting trend and something that we have seen across different Chinese groups recently. It's very interesting because telecoms give access to a wide number of individuals and it also provides that degree of separation between the threat actor and the actual victim. So, that is an interesting trend that we've seen across groups and with APT41.
Fred Plan: [00:19:49] Besides that shift towards strategic intelligence collection, the other thing that's pretty cool about APT41 – or interesting, maybe not cool – it seems that they're deployed for, like, tactical operations sometimes. So, we identified instances, for example, where they were targeting a hotel. And because of their behavior, because of what they were targeting, and going for, like, you know, reservations information and PII at the hotel, and then the timing of that particular operation was that they were targeting this hotel just before a group of Chinese VIPs were staying at the exact same facility, indicating that they were probably sent to reconnoiter the facility just before this visit. So, that sort of, like, tactical deployment we think is pretty unique to APT41. Or at least definitely the first instances of us observing it.
Fred Plan: [00:20:37] Another instance, for example, they were targeting a news and media organization in Hong Kong, and based on the timing of that particular operation, we think that it was related to the Umbrella Movement protests that are happening at the time. And we think that that particular campaign led to the identification of protesters that were associated with the movement, and it ultimately led to those protesters being locked out of the political process as it was developing in Hong Kong.
Fred Plan: [00:21:05] So, these kind of, you know, really in-the-trenches kind of activities, these kind of like tactical deployments, stand in pretty stark contrast to the bigger strategic intelligence collection, more typical espionage activity that we usually see with these Chinese groups. So, if anything it, A), it demonstrates how flexible this group is and the wide variety of operations that they can be tasked against. But also, B), the capability of this operation to point their tools, point their TTPs, point their capabilities at so many different kinds of activity and so many different kinds of tasks, as required.
Dave Bittner: [00:21:38] Yeah, they're sort of the go-to team. When something needs to get done, these may be the folks that get sent out that can do it reliably.
Fred Plan: [00:21:46] Right. And across a wide range of activity.
Dave Bittner: [00:21:52] Our thanks to Nalani Fraser and Fred Plan from FireEye for joining us. The research is titled, "APT41: A Dual Espionage and Cyber Crime Operation." We'll have a link in the show notes.
Dave Bittner: [00:22:05] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security or connect with them on Twitter or Facebook.
Dave Bittner: [00:22:14] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:22:22] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.