Threat Watch

FBI Releases Technical Indicators and True Names of APT 41 Threat Actors

On September 16th, the FBI publicly released information regarding an indictment of five threat actors based in the People’s Republic of China (PRC) for computer intrusions affecting more than 100 victim companies and organizations in the United States and government organizations in other countries. The group, which is known to security researchers and defenders as APT 41, operates from Chengdu, Sichuan Province in China and has been active since at least 2011. The threat group typically used phishing email messages with malicious file attachments disguised as application resumes, targeting HR departments.

The types of malicious files often used by the group include Microsoft Compiled HTML Help (CHM) files. After achieving initial access, the threat actors often obtained login credentials for administrator accounts and used those to expand their access to servers. The threat group often deployed third-party VPN software such as SoftEther on victim computers in order to provide themselves with another means of accessing the network. In addition to targeted phishing attacks, the group also leveraged publicly available exploit code for vulnerabilities in VPN services used by victim organizations, which they discovered by scanning the Internet for unpatched servers connected directly to the Internet with a public-facing IP address.

ANALYST NOTES

Organizations should consider multiple layers of defense based on adversary tactics when designing security controls for their systems. Email scanning for unusual attachments or links to download files is the first line of defense—since APT 41 is known to use CHM files, if those attachments are unusual in legitimate email messages, then it is a useful detection strategy to identify potentially malicious phishing messages. Detecting the installation of unauthorized VPN software is another layer of defense that could catch attacker behaviors. Defenders should have Endpoint Detection and Response (EDR) software on every workstation and server to alert whenever unusual activity occurs or unauthorized software is executed. Keeping up to date with security patches, especially for any server that can be accessed over the Internet, is extremely important to prevent opportunistic attacks from succeeding. Organizations should regularly scan their public-facing IP address space to account for any unauthorized or unmanaged services, and establish internal accountability for monitoring patching requirements. Applying known threat actor tactics and techniques to proactively hunt for threats and improve detection queries is an important step to regularly practice as part of an overall security strategy.