Chinese government hackers suspected of moonlighting for profit


One of the most effective teams of Chinese government-backed hackers is conducting financially-motivated side operations, cybersecurity researchers said.

US firm FireEye said members of the group it called Advanced Persistent Threat 41 (APT41) penetrated and spied on global tech, communications and healthcare providers for the Chinese government while using ransomware against game companies and attacking cryptocurrency providers for personal profit.

The findings, announced at the Black Hat security conference in Las Vegas, show how some of the world’s most advanced hackers increasingly pose a threat to consumers and companies not traditionally targeted by state-backed espionage campaigns.

“APT41 is unique among the China-Nexus actors we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain,” said FireEye Senior Vice President Sandra Joyce.

Officials in China did not immediately respond to Reuters request for comment. Beijing repeatedly denied Western accusations of widespread cyber espionage.

FireEye said the APT 41 group used some of the same tools as another group it previously reported on, which FireEye calls APT17 and Russian security firm Kaspersky calls Winnti.

Current and former Western intelligence officials told Reuters Chinese hacking groups were known to pursue commercial crimes alongside state-backed operations.

FireEye, which sells cybersecurity software and services, said a member of APT41 advertised as a hacker for hire in 2009 and listed hours of availability outside of the normal workday, circumstantial evidence of moonlighting.

The group used spear-phishing, or trick emails designed to elicit login information. It also deployed root kits, relatively rare and with hard-to-detect control over computers. In all, the group used nearly 150 unique pieces of malware, FireEye said.

The most technically impressive feats include tainting millions of copies of a utility called CCleaner, now owned by security company Avast. Only a small number of specially selected, high-value computers were fully compromised, making hack detection more difficult.

Avast said it worked with security researchers and law enforcement to stop the attack and no damage was detected.

In March, Kaspersky found the group hijacked Asus’ software update process to reach more than a million computers, again targeting a smaller number of end users. Asus said the next day it issued a fix for the attack, which affected “a small number of devices.”

“We have evidence at least one telecom company may have been the intended target during the Asus compromise, consistent with APT41’s espionage targeting over the past two years,” said FireEye spokesman Dan Wire.

FireEye and Slovakia-based cybersecurity company ESET said the gaming compromises aligned with financial motives more than national espionage. Among others, the group won access to a game’s production environment and generated tens of millions of dollars’ worth of virtual currency, FireEye said.