In a new development that may again provoke the simmering cold war between China and the U.S., an Israeli-American cyber security firm has warned of a substantial hacking operation said to be arranged by a Chinese-origin hacking group. It has indulged in intellectual property (IP) theft and large-scale industrial espionage activities on three continents, per the report. It is yet to be seen how Beijing will respond to this revelation.
The Israeli-American cyber security company Cybereason is based in Boston and has branches in Tokyo, Tel Aviv, and London. It said the Chinese-origin group deployed advanced methods and worked under wraps to evade detection. It targeted leading technology and manufacturing giants in Asia, the U.S., and Europe intending to steal IP information.
The Winnti Group/APT41: A top player in the cyber threat landscape
The ring, referred to as the Winnti Group or APT41, is a top player in the cyber threat landscape. It has been active since 2010. Some of its members were indicted for computer crimes by the U.S. Department of Justice in 2020.
Cybereason spokespersons said the Winnti Group/APT41 had committed cyber espionage on a large scale. Cybereason got updates on its operations from one of the targeted companies. The security company’s senior director Assaf Dahan said: “Their level of stealth and sophistication was very high. It’s an intricate and complex deployment process where the components must work together in a certain order. It’s challenging to detect because each component [alone] doesn’t appear malicious. It’s a smart way of evading detection, and it worked — they worked undetected for three years.”
Cybereason found an advanced Winnti Group/APT41 malware named WINNKIT. The hacking group has possibly used the tool to gather essential IP data from various tech companies. Cybereason has informed the U.S. Department of Justice and the FBI about the findings. The Winnti Group/APT41 has grown over the years, and now it operates as several linked hacking groups. It targeted Asian game developers several times, says the report. For example, it targeted the South Korean company Gravity that launched the popular MMORPG- Ragnarok Online.
OperationCuckooBees
The Winnti Group/APT41 launched a worldwide cyber espionage campaign referred to as OperationCuckooBees. Cybereason carried out a year-long investigation into this clandestine cyber hacking campaign. The CEO and Co-founder of Cybereason, Lior Div, said, “OperationCuckooBees research is the culmination of a 12-month investigation that highlights the intricate and extensive efforts of the Chinese state-sponsored Winnti Group/APT41 to abscond with proprietary information from dozens of global organizations. The most alarming revelation is that the companies weren’t aware they were breached, going back as early as 2019, giving Winnti/APT41 free unfiltered access to intellectual property, blueprints, sensitive diagrams, and other proprietary data.”
The alarming aspect is that the Winnti Group/APT41 executed Operation CuckooBees without detection for quite some time. So the group may have managed to steal a lot of intellectual property data from the targeted entities. As a result, Cybereason published a couple of reports. The first is on the tactics and techniques used in this campaign, while the 2nd is on analyzing the malware.
Cybereason has revealed how the Winnti Group/APT41 utilizes previously undocumented malware types to target its victims. The hackers deploy a method called the house of cards. Each component relies on the other, so analyzing the details separately is tedious.
