Indictment ‘Did Not Hinder APT41’s Operations,’ says HHS HC3
Two federal indictments against a Chinese-state sponsored hacking group haven’t slowed down its operations, the U.S. government acknowledges in a warning telling the healthcare sector to be vigilant about the threat actor.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge
A federal grand jury returned indictments in 2019 and 2020 against five Chinese nationals accused of hacking for a threat group dubbed APT41 and also known as Barium, Winnti, Wicked Panda and Wicked Spider.
The hackers are believed to be at large, likely in China, and are unlikely to face arrest (see: 5 Chinese Suspects Charged in Connection with 100 Breaches).
The United States began publicly indicting Chinese hackers in 2014 in a strategy to pressure Beijing by exposing the organizations and individuals behind state-sponsored cybertheft.
The strategy seemed to pay dividends when Chinese leader Xi Jinping in September 2015 pledged to cease cyber-enabled economic espionage. The strategy’s utility has since come under mounting fire as it became apparent that Chinese state-sponsored hacking responded to Xi’s promise by becoming stealthier rather than by ending.
“The indictment did not hinder APT41’s operations as they progressed into 2021,” concludes the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in a Thursday threat brief.
“Stealing foreign IP is a primary objective of state-sponsored Chinese cyberespionage groups such as APT41, as it contributes to China’s ambitious business and economic development goals,” says Paul Prudhomme, a former Department of Defense threat analyst who is head of threat intelligence advisory at Rapid7.
APT41 has a history of targeting the healthcare sector, along with high-tech and telecommunication companies. Cybersecurity firm Mandiant says the group engages in a financially motivated sideline of video game industry hacking where it has manipulated cryptocurrencies and attempted to deploy ransomware.
Earlier this year, Mandiant revealed the group compromised at least six U.S. state government networks, in some cases via an app used to trace livestock diseases.
Evolving TTPs
HHS HC3 says some of the tactics, techniques, procedures and other tools commonly used by APT41 are:
- Spear-phishing with malicious attachments, watering holes and supply chain attacks to gain initial access;
- Using a variety of public and private malware to gain a foothold;
- Escalating privileges by leveraging custom tools to obtain credentials;
- Performing internal reconnaissance using compromised credentials;
- Moving laterally through use of remote desktop protocol, stolen credentials, adding admin groups and brute-forcing utilities;
- Maintaining a presence through the use of backdoors;
- Creating a RAR archive for exfiltration and removal of evidence.
While the cybersecurity industry has always emphasized the importance of patching systems, “it’s especially urgent given APT41’s agility and persistence,” says Ben Read, director of cyberespionage analysis at Mandiant.
“We’ve seen instances of APT41 re-infecting systems after being removed, and we observed this group begin exploiting the Log4j vulnerability within just two days of the vulnerability being made public,” he says. “APT41’s rapid adoption of publicly exposed vulnerabilities showcases the importance of prompt patching.”
APT41 has consistently updated its techniques to avoid detection, he adds. “Organizations need to be similarly active, keeping up to date on the latest tactics and ensuring that they are positioned to block and detect any intrusion attempts.”