APT41, also known as 'double dragons' is a Chinese founded hacking group that specializes in cyber espionage. They target ‘intellectual property’ and sensitive data and conduct supply chain attacks to gain access to networks of hundreds of companies worldwide.

History

Active since 2012, the group has targeted various industries such as the healthcare, gaming, technology and telecom industries to name a few. They also perform some financially motivated targeting (which is apparently unusual for China-based actors). They have been known for hacking into telecom companies to gain access to sensitive data and keep an eye on Chinese officials. Their work generally aligns with China’s Five year Economic Development Plans, and they establish and maintain access to targeted organizations in said industries.

Tactics, Techniques & Procedures (TTPs)

The group often uses spear-phishing emails with attachments such as compiled HTML(.chm) files to compromise their victims in the first stage. They then go on to use other more sophisticated TTPs and deploy malwares of their choosing. They also deploy rootkits and Master Boot Record(MBR) to hide their presence and maintain access to selected systems

An example of one of their operation is an attack where ‘the group compiled a new version of a backdoor using a freshly registered command-and-control domain and compromised several systems across multiple geographic regions, sent phishing mails to multiple HR employees three days after an intrusion had been remediated and systems were brought back online. Within hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within the organization’s servers across multiple geographic regions.’

– Mandiant

The following are the TTPs used in said attack with reference to their position on the MITRE attack framework

Framework

1. Initial Access – Spear phishing emails, T1021 (Remote File Transfer), T1136 (File and Directory Discovery), T1105 (Ingestion)

2. Execution

3. Persistence - T1036 (Masquerading), T1059 (Forced Entry)

4. Privilege Escalation - T1068 (Credential Dumping), T1055 (Forced Authentication)

5. Defense Evasion- T1059 (Forced Entry), T1114 (Living Off the Land)

6. Credential Access- T1003 (Operating System Command Execution), T1071 (System Services)

7. Discovery - T1016 (Steal File), T1059 (Forced Entry)

8. Lateral Movement - T1071 (System Services), T1059 (Forced Entry)

9. Collection - T1003 (Operating System Command Execution), T1059 (Forced Entry)

10. Exfiltration - T1530 (Steal Data)

11. Command and Control - T1003 (Operating System Command Execution), T1048 (Application Execution)

Prevention/Defense techniques

• Detection: Monitor for unusual network activity, unauthorized access attempts, and suspicious file modifications.

• Prevention: Implement strong authentication measures like multi-factor authentication (MFA) and enforce least privilege access principles. Regularly patch vulnerabilities and disable unused ports and services. Consider endpoint detection and response (EDR) solutions for real-time monitoring and anomaly detection.

• Awareness: Implement phishing awareness training and deploy email security solutions to filter out malicious emails. Monitor for suspicious login attempts and anomalous user behaviour. Use security information and event management (SIEM) solutions to correlate events and identify potential credential theft attempts.

Sources

• Mandiant(https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation)

• Varonis (https://www.varonis.com/blog/mitre-attck-framework-complete-guide#matt)

• Attack.mitre.org (https://attack.mitre.org/groups/G0096 )