China-backed APT41 Group Hacked at Least 13 Victims in 2021

The Chinese advanced persistent threat (APT) actor known as APT41 (or Barium, Bronze Atlas, Double Dragon and Wicked Panda) has targeted at least 13 organizations across the US, Taiwan, India, Vietnam and China as part of four different campaigns in 2021.

The news comes from Group-IB Security researchers, who published an advisory detailing APT41 activities from the beginning of 2021 to the present day.

“For the first time, we were able to identify the group’s working hours in 2021, which are similar to regular office business hours,” Group-IB wrote.

According to the security experts, the majority of the attacks spotted as part of these campaigns primarily relied on SQL injections on targeted domains as initial access vectors to infiltrate victim networks. APT41 would then deliver a custom Cobalt Strike beacon onto the endpoints.

The main difference with traditional Cobalt Strike attacks, however, is that in these campaigns, the Cobalt Strike beacon was split and delivered in smaller chunks of code as an obfuscation tactic to fly under the radar. Only then it would write out the entire payload to a file on the infected host.

“Our efforts have resulted in about 80 proactive notifications to private and government organizations worldwide regarding APT41 attacks (both in progress and completed) against their infrastructures so that the organizations could take the necessary steps to protect themselves or search for traces of compromise in their networks,” read the advisory.

In terms of the industries targeted by the attacks, Group-IB mentioned the public sector, manufacturing, healthcare, logistics, hospitality and education, as well as the media and aviation.

“We will continue to explore the methods, tools and tactics used by one of the oldest and still dangerous groups, APT41,” Group-IB said.

The advisory comes months after security researchers revealed APT41 compromised at least six US state government networks between May 2021 and February 2022.

What’s Hot on Infosecurity Magazine?