The US cybersecurity firm FireEye has detected a surge in online espionage carried out by the Chinese hacking group APT41.
The spike in activity from APT41 began at the end of January and lasted till mid-March during which time the group targeted 75 organizations from a number of different industries including telecommunications, healthcare, government, defense, finance, petrochemical, manufacturing and transportation. The group also targeted nonprofit, legal, real estate, travel, education and media organizations.
In their report on APT41’s recent activities, FireEye researchers Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller explained that the group is likely responsible for launching one of the most widespread online espionage campaigns they’ve ever seen, saying:
“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry … this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.”
Leveraging recently disclosed vulnerabilities
APT41 used known vulnerabilities in Citrix’s Application Delivery Controller (ADC), Cisco’s routers and Zoho’s ManageEngine Desktop Central to launch their attacks on targeted organizations.
The Citrix vulnerability was made public a month before the group’s campaign began while a zero-day remote code execution vulnerability in Zoho’s ManageEngine Desktop Central was discloses just three days before the group leveraged the security flaw. Although FireEye does not have a copy of the malware used against Cisco’s routers, the company believes that APT41 designed its own custom malware to launch attacks against them.
FireEye first gave a name to the Chinese hacking group last year but APT41 has been conducting state-sponsored espionage for some time now.
In a statement to CyberScoop, FireEye explained the that motive behind APT41’s latest campaign is unknown but there are multiple explanations as to why it launched cyberattacks on 75 organizations across a variety of industries, saying:
“Based on our current visibility it is hard to ascribe a motive or intent to the activity by APT41. There are multiple possible explanations for the increase in activity including the trade war between the United States and China as well as the COVID-19 pandemic driving China to want intelligence on a variety of subjects including trade, travel, communications, manufacturing, research and international relations.”