By Joseph Menn, Jack Stubbs and Christopher Bing
LAS VEGAS (Reuters) – One of the most effective teams of Chinese government-backed hackers is also conducting financially-motivated side operations, cybersecurity researchers said on Wednesday.
U.S. firm FireEye said members of the group it called Advanced Persistent Threat 41 (APT41) penetrated and spied on global tech, communications and healthcare providers for the Chinese government while using ransomware against game companies and attacking cryptocurrency providers for personal profit.
The findings, announced at the Black Hat security conference in Las Vegas, show how some of the world’s most advanced hackers increasingly pose a threat to consumers and companies not traditionally targeted by state-backed espionage campaigns.
“APT41 is unique among the China-Nexus actors we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain,” said FireEye Senior Vice President Sandra Joyce.
Officials in China did not immediately respond to Reuters request for comment. Beijing has repeatedly denied Western accusations of conducting widespread cyber espionage.
FireEye said the APT 41 group used some of the same tools as another group it has previously reported on, which FireEye calls APT17 and Russian security firm Kaspersky calls Winnti.
Current and former Western intelligence officials told Reuters Chinese hacking groups were known to pursue commercial crimes alongside their state-backed operations.
FireEye, which sells cybersecurity software and services, said one member of APT41 advertised as a hacker for hire in 2009 and listed hours of availability outside of the normal workday, circumstantial evidence of moonlighting.
The group has used spear-phishing, or trick emails designed to elicit login information. But it has also deployed root kits, which are relatively rare and give hard-to-detect control over computers. In all, the group has used nearly 150 unique pieces of malware, FireEye said.
The most technically impressive feats included tainting millions of copies of a utility called CCleaner, now owned by security company Avast. Only a small number of specially selected, high-value computers were fully compromised, making detection of the hack more difficult.
Avast said that it had worked with security researchers and law enforcement to stop the attack and that no damage was detected. The company did not have any immediate further comment on Wednesday.
In March, Kaspersky found the group hijacked Asus’ software update process to reach more than 1 million computers, again targeting a much smaller number of end-users. Asus said the next day it had issued a fix for the attack, which affected “a small number of devices.”
“We have evidence that at least one telecom company may have been the intended target during the Asus compromise, which is consistent with APT41’s espionage targeting over the past two years,” said FireEye spokesman Dan Wire.
But FireEye and Slovakia-based cybersecurity company ESET said the gaming compromises aligned with financial motives more than national espionage. Among other things, the group won access to a game’s production environment and generated tens of millions of dollars’ worth of virtual currency, FireEye said.
(Reporting by Joseph Menn, Jack Stubbs and Chris Bing; Editing by Greg Mitchell and Nick Zieminski)