China’s 13th Five Year Plan apparently laid down the need to achieve a ‘social safety net,’ which bears the warmth of hacker’s extrusion in the Crypto firms. The alignment on the same lines is merely a coincidence or plodder stands a chance of explanation.
The Fire Eye Threat Intelligence Research report validates that a Chinese espionage operator attacks the crypto firms during state-sponsored campaigns. APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity predominantly not within the state’s control. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors since 2012. APT41 operations against higher education, travel services, news, and media firms aptly indicate that the group also tracks individuals and conducts surveillance. APT41 activity aimed at healthcare demonstrates the group’s capacity to collect sensitive and highly valuable information about pharmaceutical development, clinical trial data, and intelligence regarding a medical subsidiary’s parent company.
APT41 uses a variety of malware and tools, both common and unique to the group, to creep in and gain a firm foothold in the victim’s environment. As reiterated by the Fire Eye, US-based cybersecurity firm, consolidation of multiple malware families into a single-family with variants led to the identification of overlaps. The malware families are similar on the grounds of functionalities, code overlaps, and encoding routines. Some of the malware families, such as HIGH NOON, are shared with other Chinese espionage groups escalating the malicious network farther. The custom-made and publicly available tools then gather credentials and dump password hashes. The tools include ACEHASH, GEARSHIFT, Mimikatz, etc. APT41 frequently uses the’ Windows Credential Editor’ to dump password hashes from memory and authenticate other user accounts.
APT41 conducts network reconnaissance and uses the hacked credentials to log on to other systems. The built-in Windows commands, such as “netstat” and “net share,” in addition to the custom and non-public malware families HIGH NOON, and WIDETONE assist in collecting host information by enumerating active Remote Desktop Protocol (RDP) sessions, conducting port scans, password brute-force attacks and collecting network information respectively.
APT41, as factually stated, attempted to remove evidence of some of its activity by deleting Bash histories, clearing Windows security and system events, and modifying DNS settings to avoid anti-virus detections. In another instance, APT41 deployed XMRig, a Monero cryptocurrency mining tool in a victim’s environment. XMRIG is an open-source Monero cryptocurrency miner. It has variants for CPU, NVIDIA GPU, and AMD GPU mining. The report also notes that the group also deployed ransomware in at least one instance.
The Fire Eye Research report virtuously presents enough evidence that Crypto firms are increasingly on its radar as it’s the descendant of an algorithmic derivation. There is also a meticulous observation in addition to formal assertions, and that’s the late-night to early morning activity of APT41 which ridicules their presence as a night owl.