Named as APT41 and also known as 'Barium,' 'Winnti, 'Wicked Panda,' and 'Wicked Spider,' the cyber-espionage group has been operating since at least 2012 and is not just involved in strategic intelligence collection from valuable targets in many sectors, but also behind financially motivated attacks against online gaming industry.
According to a press release published by the U.S. Justice Department, two of the five Chinese hackers—Zhang Haoran (张浩然) and Tan Dailin (谭戴林)—were charged back in August 2019, and the other three of them—Jiang Lizhi (蒋立志), Qian Chuan (钱川) and Fu Qiang (付强)—and two Malaysian co-conspirators were in separate indictments in August 2020.
The later indicted three Chinese hackers are associated with a network security company Chengdu 404 Network Technology, operated as a front by the People's Republic of China.
"FU has been working closely with JIANG since at least 2008, and worked with JIANG at multiple internet and video game related companies. FU has been working with QIAN and JIANG together since at least 2013. Before joining CHENGDU 404, FU described himself as a skilled programmer and developer," the court documents say.
As uncovered previously in multiple reports, the APT41 group specializes in software supply-chain attacks, where hackers steal proprietary "source code, software code signing certificates, customer account data, and valuable business information," and distribute digitally signed malicious versions of the software to infect systems at targeted organizations.
According to the court documents, in some cases where the targeted systems didn't have any valuable information, defendants also used ransomware and crypto-jacking malware to monetize their efforts.
The targeted industries include "software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong."
"The defendants also compromised foreign government computer networks in India and Vietnam, and targeted, but did not compromise, government computer networks in the United Kingdom," the press release says.
The 2 Malaysian hackers—Wong Ong Hua and Ling Yang Ching—were arrested by Malaysian authorities in Sitiawan on September 14, 2020, and are being extradited to the United States. The FBI confirmed that all 5 Chinese nationals remain at large.
"In addition to arresting warrants for all of the charged defendants, in September 2020, the U.S. District Court for the District of Columbia issued seizure warrants that resulted in the recent seizure of hundreds of accounts, servers, domain names, and command-and-control (C2) 'dead drop' web pages used by the defendants to conduct their computer intrusion offenses," the DoJ said.
"The actions by Microsoft [other than Google, Facebook, and Verizon Media] were a significant part of the overall effort to deny the defendants continued access to hacking infrastructure, tools, accounts, and command and control domain names."
The targeted companies were located in the United States and worldwide, including in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.
Zhang and Tan have been charged with 25 counts of computer fraud and money laundering, which carry a maximum sentence of 20 years in prison.
Jiang, Qian, and Fu are also facing similar charges with nine counts that carry a maximum sentence of 20 years in prison.
The indictment against Wong and Ling charges the defendants with 23 counts of similar charges, but since they are also involved in false registration of domain names, it would increase the maximum sentence of imprisonment for money laundering to 27 years.