Video game

Chinese State Hackers Attack Video Games And Cryptocurrencies For ‘After Hours’ Personal Gain: Report – Forbes


A damning report, issued today (August 7), provides further evidence of the extent of the attacks on large-scale enterprises by China’s state hackers to promote the interests of the government in Beijing. China is, in effect, executing “brute force” campaigns against certain industries to collect mass-scale data, simply to target a small number of individuals. It might not be a high-finesse approach, but it is ruthlessly effective.

The report from cybersecurity researchers at FireEye unveils the activities of a hacking group dubbed APT41, activities traced back to 2012 which have included operations in 14 different countries, including the U.K., the U.S. and “dissident” activity in Hong Kong. This is a report with a twist, though, because those same hackers are also using the tools of their espionage trade to target non-strategic industries for personal gain.

“Unlike other observed Chinese espionage operators,” FireEye says, “APT41 conducts explicit financially motivated activity, which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests.” Some of that activity was during working hours, but “the late-night to early-morning activity of APT41’s financially motivated operations suggests that the group primarily conducts these activities outside of their normal day jobs.”

Jacqueline O’Leary—a senior analyst at FireEye and one of the authors of the report—gave me three instances of financial crime exposed by the team’s research. “APT41 targeted a video game company and generated in-game currency associated with that game. In three hours they generated millions in virtual currency, likely sold in underground markets—that could have netted up to $300,000. We have also seen an interest in cryptocurrency miner tools and an attempt to deploy ransomware.”

The report itself lists out further examples of financial crimes, supply chain compromises, the targeting of an array of different industries.

“The video game targeting was something we saw from the earliest activity of the group in 2012,” O’Leary explains. “We continue to see indication in 2019 that they’re still using video game targeting to pursue financial missions. And they’ve taken some of what they learned in video games and focused that on supply chain targeting.”

For O’Leary “the financially motivated activity was notable because it used tools typically reserved for espionage missions—this was the hallmark of this group.”

The report is dubbed “Double Dragon,” highlighting the dual focus of APT41—espionage and financial crime. But this financial crime is secondary. The real focus of APT41 is state espionage.

In June, I reported that Cybereason had published research claiming that APT10, another Chinese state-sponsored hacking group, had compromised the systems of at least ten cellular carriers around the world to steal metadata related to specific users individuals linked to China.

The pattern here is the same.

“What we’ve seen,” O’Leary tells me, “is APT41 targeting the travel and telecoms industries to get access to a broad amount of information they can use for surveillance reasons. In telecoms we have seen them get call data records and text messages. In travel we have seen them go after reservation information.”

But it’s the telecoms angle that is most interesting with APT41, as seen with the report on APT10—although in this instance O’Leary highlights counter-espionage rather than offensive collection as an angle. Some of the call records and text messages targeted “certain high-ranking officials,” some of the reservation information “coincided with the visits of high-ranking Chinese visitors to that country.” Who is meeting who and telling them what. Standard counter-espionage activity.

The report itself references “a hotel targeted two weeks ahead of a diplomatic visit in which high-ranking Chinese officials stayed—personal data within the reservations system was directly accessed, suggesting the group was potentially tasked to reconnoiter the facility.” And on a similar domestic agenda: “In July and August 2016, APT41 sent spear-phishing emails to Hong Kong media organizations known for pro-democracy editorial content. The timing and targeting of this activity suggests possible interest in the pro-democracy Umbrella Movement candidates who were running for seats in Hong Kong’s legislative council.”

The data collected by the telecoms industry is a goldmine for spy agencies. The metadata is telling enough. Agencies mine patterns, connections, dots on a map. Networks can be mapped and inference made without tapping into a single item of content. Although, despite this, we know from the encryption debate and the complaints made by law enforcement and security agencies about end-to-end encryption and “going dark” that the content is still prized.

O’Leary sees telecoms as especially pivotal to Chinese espionage activity in general and APT41 in particular. “I think the indication we have is that APT41 is interested in a specific set of individuals,” she says, “but it’s also an interesting for telcos more generally, the role they play, being a first target within new regions that APT41 is moving into. So we’re still understanding what the role of those telcos could be—but looks like telco is a crucial foothold across industries in order for them to do their first stage operation.”

Exactly as seen with APT10—Cybereason reported that “the threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more—to compromise critical assets and steal communications data of specific individuals in various countries.”

And, for FireEye, everything seems to align with Beijing’s strategic priorities. “Some their more recent espionage activity is super interesting,” O’Leary explains, “shifting over time, maybe to satisfy different parts of the Chinese government, whether that’s the ‘Five Year Plan’ or ‘Belt and Road’ initiatives.” And APT41’s activities have remained consistent, despite restructuring within China’s agencies. “It’s interesting that this group is still active in 2019—that they’re still targeting across industries and geographies, that they’re going into new regions like Africa.”

The report itself widens the net: “APT41 has targeted organizations involved in the research, development, and sale of computer components used for machine-learning, autonomous vehicles, medical imaging, and the consumer market. The group also targeted companies involved in producing motherboards, processors, and server solutions for enterprises.”

O’Leary explains that FireEye is still researching “how opportunistic the targeting of certain industries is versus trying to work out the real intended targets. That’s something we’re still trying to work out,” she tells me, “but we do have indications that it’s probably a much smaller number of targets than initially thought.”

Prior to 2015, FireEye had seen instances of IP theft by APT41, but not since then, even though industries are still targeted in line with Beijing’s priorities. “Some of those industries align with the ‘Five Year Plan’ and ‘Made in China 2025’.” O’Leary gives the example of the parent company of a medical device manufacturer. “We know that ‘Made in China 2025’ [the strategic shift from cheap products to high-value devices and services] has a particular interest in medical devices.”

Again, there are some missing pieces of the puzzle. “We’re still trying to piece together what the motivations are for supply chain targeting. Those supply chain events were highly complex—but the end targets of those payloads are really hard to determine. But it illustrates the effort and skill of APT41 and shows the effort they will go to to target a small number of victims.”

FireEye concludes “with high confidence” that APT41 is attributable to Chinese individuals who are working on behalf of the Chinese state in conducting cyber espionage operations.” And it is likely that the individuals are contractors and not government employees, given the financial crime moonlighting. “State employees are less likely to use [espionage] tools for personal financial gain over multiple years given the potential for greater scrutiny or punishment.”

The use of contractors in this way is not unusual, and O’Leary points out that DOJ indictments have referenced the use of contractors by the Chinese government.

In the meantime, the findings of the report into APT10 are significantly reinforced by this new report into APT41. China is giving the impression that it’s open-season on the data held by overseas telcos. And now travel can be added to the mix. The implication is that Beijing’s agencies can mine such data at will, using it to prompt additional investigations, whether for political or economic gain. Counter-intelligence was offered as an example by FireEye. But the support of M&A activity—researching individuals on the other side of a deal, and investigating strategically interesting industries were also offered as examples.

“I wouldn’t say this group is only of interest to diplomatic or high-ranking individuals for surveillance purposes,” O’Leary says. “We’ve seen their tasking reflect potential shifts within the government. Any industry with access to large amounts of data could be of interest to this group.” For “this group” read “Beijing.”

As for those financial crimes? State-sponsored hackers clearly have all the tools and know-how required to generate economic returns on their nefarious activities. It seems the contractors working within APT41 have realised that and have been entrepreneurial with those tools and that know-how and effectively so.

The findings “raise the question as to how aware the Chinese authorities were of this [after hours] activity,” O’Leary tells me. Whether or not they were, they certainly are now.



READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.