China's APT41: State-sponsored espionage by day, hacking for personal gain by night

Members of China's APT41 threat group traced back to 2012, attacking video games companies out of hours

Members of Chinese cyber threat group APT41 are conducting state-sponsored espionage activities during the day and hacking companies across the world for personal profit by night.

That's according to security specialists at FireEye who track hacking groups - both criminal and state-sponsored - who say that they have identified two members of APT41 in the past one year targeting gaming firms and cryptocurrency providers for personal gain.

"Unlike other observed Chinese espionage operators, APT41 conducts explicit financially motivated activity, which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests," FireEye claimed in its report.

"[This] may indicate the group enjoys protections that enable it to conduct its own for-profit activities, or authorities are willing to overlook them."

APT41 is a China-backed hacking group, which is believed to spy on organisations worldwide across multiple sectors, including telecommunications, healthcare, education and higher technology.

The group enjoys protections that enable it to conduct its own for-profit activities, or authorities are willing to overlook them

According to security experts, the espionage activities of APT41 are aimed at organisations "aligned with China's Five-Year economic development plans".

For example, the group has frequently targeted major telecoms firms and their subsidiaries worldwide to steal their call record details.

Members of the group have also attacked multiple tech firms working to develop autonomous vehicles, machine learning programmes, semiconductors, processors, enterprise cloud computing, and medical imaging software.

In the healthcare sector, the group has allegedly stolen intellectual property from pharmaceutical and medical device companies.

FireEye claims that the two hackers it identified are highly likely to be Chinese intelligence contractors operating for APT41. The activities of these individuals have been traced back to 2012, when they attacked video gaming firms and players for profit.

Since 2014, these individuals have been tracked conducting cyber espionage activities to steal strategic data for the Chinese government. Specifically, they have targeted organisations in the US, UK, France, Italy, India, Japan, the Netherlands, Singapore, Myanmar, Switzerland, South Korea, Hong Kong, South Africa, Turkey and Thailand in wide-ranging spying operations.

FireEye now claims that in addition to APT41's usual activities during office hours, it also observed the "late-night to early-morning" activities of group's members. During those night operations, the group targeted video gaming firms and cryptocurrency exchanges.

In one instance, the threat group was observed deploying malicious code to upload a bot on the target machine in a cyber-extortion operation.

Chinese state-sponsored hacking groups have long been involved in both international espionage activities and financial crimes.

In June, it was reported that a group of hackers sponsored by China's Ministry of State Security targeted eight of the world's largest tech service providers for years.

Last month, Intrusion Truth, an online group of anonymous cyber-security experts, claimed that cyber-espionage hacking group APT17 is controlled by the Jinan bureau of China's Security Ministry.

In December 2018, security firm Area 21 revealed that Chinese hackers had monitored private communications between EU diplomats for at least three years.