Hacker lair Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

Threat Intel Report APT-47 Double Dragon

This is a Threat Intel report based on the FireEye report of 2019

APT 47: Double Dragon

On August 7, 2019 The FireEye Intelligence team published a research report about a unique an sophisticated Chinese cyber-group that the researchers named it APT41 (Advance Persistent Threat). This cyber-group stands out among other Chinese cyber actors for carrying out Chinese sponsored espionage operations while at the same time using the same exclusive tools and malware for financial motivated campaigns.

Another interesting finding about APT41 was the broad scope of operations and years of activity. For example, the team pointed out that while is common for Chinese cyber-groups to become inactive, APT41 has remained consistently active since 2012 and has widened its industry targets from the gaming industry to telecom, high-tech and healthcare industries. Remarkably, APT41 has been performing dual operations since 2014 and carrying out sanctioned Chinese espionage operations in 14 different countries that either represent a threat to china’s economic plans or sphere of influence.

In addition, the report indicates that APT41 has been able to achieve dual operations by conducting espionage missions during hours that aligns with China’s 996 work schedule (9am-9pm, 6 days per week) while carrying out financial campaigns late in the night, essentially APT41 moonlights off the clock. This is very uncommon for a cyber-group in China, suggesting that the group work as a contractor for the Chinese government since state employees are more likely to face punishment if they carry operations that are not sanctioned by the Chinese government. Even more alarming, according to the team there was a malware overlap found between espionage operations and those motived for personal gain. This indicates that APT41 started including malware typically used for espionage in their cybercrime operations making their attacks relatively sophisticated. Finally, Chinese attribution to APT41 group was achieved by identifying Chinese language on the malware used, IP location and time zones that aligned with Chinese geographical locations as well as the reliance on well-known Chinese malware tools like “Homeunix” backdoor and “Highnoon” malware family.

In conclusion, APT41 could be one of the few if not the first Chinese cyber group to be reported that operates between stated-sponsored missions and private cybercrime. However, we could expect similar groups in the near future to skew toward the same tactics, techniques and procedures as China has started to rely more on contractors to bolster cyber operations. This presents a new and advanced type of APT for cybersecurity companies and government agencies to battle.

Bibliography

Fraser, Nalani, et al. APT41: A Dual Espionage and Cyber Crime Operation. 
FireEye, FireEye, 7 Aug. 2019, www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html.