On September 16, 2020, the U.S. Department of Justice (DOJ) announced that seven individuals believed to be part of a hacking group known as APT41 or “Wicked Panda,” including five Chinese nationals and two Malaysian nationals, have been charged in connection with a global hacking campaign that affected more than 100 companies around the world. The charges were included in three separate indictments in August 2019 and August 2020. The DOJ also announced that the two Malaysian residents had been arrested in Sitiawan, Malaysia, pursuant to a provisional arrest request from the United States.
Below we highlight several key takeaways from this global hacking campaign and the recent DOJ announcements.
(1) Anyone can be a target.
The seven hackers are charged with carrying out computer intrusions against more than 100 victim companies in the U.S. and around the world, with the victims coming from a wide range of industries, including software development, manufacturing, telecommunications, social media companies, video games companies, non-profit organizations, universities, think tanks, foreign governments, and pro-democracy politicians and activists in Hong Kong. Reflecting the diverse victim profiles, the resulting theft involved varying types of information, including source code, software code signing certificates, customer account data, and valuable business information.
The attacks against the video game companies alone demonstrate the global nature of the hacking campaign. The victim companies were based in countries such as France, South Korea, Japan, Singapore, and the United States, and the attacks were allegedly carried out by two Chinese nationals with assistance from two Malaysian nationals, all of whom have been charged with crimes ranging from racketeering to false registration of domain names and violations of the Computer Fraud and Abuse Act (CFAA). The attacks resulted in the theft of digital goods (e.g., video game currency) relating to video games.
(2) A sophisticated attacker doesn’t always mean a sophisticated attack.
The hackers used a wide range of techniques, stemming from sophisticated and tailored attacks to more basic attacks that involved publicly available exploits and tools. Three of the attackers are alleged to have worked for the Chengdu 404 Network Technology Company, which is a Chinese company that publicly describes itself as a network security company composed of elite “white hat” hackers. As part of their alleged conspiracy, the individuals used sophisticated hacking methods such as supply chain attacks (including compromising a software provider’s systems and then modifying the provider’s code in order to gain access to the provider’s customers) and employing C2 “dead drops,” which are web pages that appear legitimate but which actually contain malware.
Not all attacks were quite as sophisticated, however. The indictments reveal that in 2019 and 2020, the hackers also conducted a large-scale campaign to quickly exploit publicly identified vulnerabilities in widely used networking products (such as routers and VPNS) to gain access to victim networks before companies were able to patch the vulnerabilities.
(3) The indictments provide an example of successful cooperation between international governments and the private sector in combatting cyber-crime.
Following the EU’s first cyber sanctions earlier this year, the indictments and subsequent arrest of two Malaysian individuals highlight growing international efforts to combat cyber-crime. As noted above, in August 2020, two Malaysian individuals were charged with conspiring with two Chinese hackers to attack video game companies around the world. According to the DOJ’s announcement, less than one month later, on September 14, 2020, Malaysian authorities arrested the two individuals pursuant to a provisional arrest request from the United States, with a view to their extradition.
The DOJ also announced that in September 2020, with the assistance of several private companies, the FBI executed seizure warrants issued by the U.S. District Court for the District of Columbia, allowing the FBI to seize “hundreds of accounts, servers, domain names, and command-and-control (C2) ‘dead drop’ web pages” used by the defendants to carry out hacking activities. The DOJ’s announcement specifically thanked Microsoft, Google, and Verizon Media for the assistance they provided in the investigation, including disabling numerous accounts for violations of the companies’ terms of service, and in the case of Microsoft, helping to develop technical measures to block threat actors from accessing victim systems.