FBI Most Wanted cyberattackers are blueprint for other hacker groups

APT41's cyberattack methods is becoming the role model for other hacker groups to launch attacks on the supply chain and other industries.
19 November 2021

(Photo by Olivier DOULIERY / AFP)

Hacker groups have developed into a pervasive problem for both governments and organizations worldwide. From state-sponsored hacker groups to black hat hackers to hacktivists, these hacker groups keep finding new methods to launch cyberattacks. And now, many are looking to one group that has gained notoriety after launching successful attacks.

The cyberespionage group APT41, has conducted operations over multiple countries, with the US being the prime target. The group is now on the FBI’s Cyber Most Wanted List for various cybercrimes, including hacks on over 100 organizations around the world. The victims included companies in Australia, Brazil, Germany, India, Japan, and Sweden.

According to new Venafi research titled APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks, APT41 is unique among China-based threat groups as they leverage specially crafted, non-public malware typically reserved for espionage activities for financial gain — likely outside the scope of state-sponsored missions. The group initially started their cybercriminal activities targeting video games, before launching phishing attacks.

But the focus has now changed. Over the last couple of years, APT41 has been going for bigger targets because they have found success in their attacking methods. In fact, what’s critical to the success of their method is how APT41 made code signing keys and certificates which serve as machine identities that authenticate code towards a primary target. Compromised code signing certificates are used as a shared resource for large teams of attackers because they act as an attack force multiplier, dramatically increasing the odds of success.

The Venafi report showed that this strategic, long-term focus is a primary factor in APT41’s ability to successfully compromise a wide range of high-value targets across multiple industries including healthcare, foreign governments, pharmaceuticals, airlines, telecommunications, and software providers.

And this is where the situation becomes more concerning. Venafi warns that APT41’s success means their unique use of compromised code signing machine identities and supply chain attacks will become the preferred method of other threat hacker groups. As such, businesses need to be prepared for more nation-state attack groups that use compromised code signing machine identities.

For Yana Blachman, threat intelligence specialist at Venafi, APT41 has repeatedly used code signing machine identities to orchestrate a string of high-profile attacks that support China’s long-term economic and political goals and military objectives.

“Code signing machine identities allow malicious code to appear authentic and evade security controls. The success of attacks using this model over the last decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect,” said Blachman. Since targeting the Windows software utility CCleaner in 2018 and the ASUS LiveUpdate in 2019, APT41’s methods continue to improve. Every software provider should be aware of this threat and take steps to protect their software development environments.”

Hacker groups targeting supply chain with APT41’s methods

What makes APT41 attackers so successful is that most of them are disciplined software developers, who recognize that the vulnerabilities in most software build environments are ripe for exploitation. In addition, they have discovered that infiltrating the software build pipelines of software providers is a huge force multiplier in any attack.

 As APT41’s preferred method of entry is to compromise the supply chain of a commercial software vendor, they target a pool of companies that use the commercial software to gain access to carefully-chosen victims. APT41 then uses secondary malware to infect only those targets that are of interest for cyberespionage purposes. Once compromised, APT41 spreads laterally across victim networks using stolen credentials and a variety of reconnaissance tools. APT41 uses unique pieces of malware to steal valuable intellectual property and customer-related data only from these very specific targets.

Realizing the success of APT41, other cybercriminal groups are now looking to follow this same thread as well. Venafi’s report highlights how the extensive experience of APT41 has essentially become a blueprint for other state-sponsored attacks and hacker groups to follow. The methodology demonstrates to other attackers pursuing financially-motivated cybercrime activities as to how they can successfully move from lower value targets to high-profile and well-resourced organizations.

Today, attackers are disciplined, highly skilled software developers, using the same tools and techniques as the good guys. They recognize that vulnerabilities in the software build environment are easy to exploit, and they’ve spent years developing, testing, and refining the tools needed to steal code-signing machine identities. This research should set off alarms with every executive and board because every business today is a software developer. We need to get a lot more serious about protecting code signing machine identities,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

The reality is, with hacker groups using more sophisticated methods to launch cyberattacks, businesses need to be more vigilant too. Companies can no longer afford to just have basic cybersecurity protection, especially those in the supply chain or dealing with supply chain industries. They need to monitor their network, keep patches updated, and have holistic cybersecurity protection over their business.