On September 16th, the FBI publicly released information regarding an indictment of five threat actors based in the People’s Republic of China (PRC) for computer intrusions affecting more than 100 victim companies and organizations in the United States and government organizations in other countries. The group, which is known to security researchers and defenders as APT 41, operates from Chengdu, Sichuan Province in China and has been active since at least 2011. The threat group typically used phishing email messages with malicious file attachments disguised as application resumes, targeting HR departments.
The types of malicious files often used by the group include Microsoft Compiled HTML Help (CHM) files. After achieving initial access, the threat actors often obtained login credentials for administrator accounts and used those to expand their access to servers. The threat group often deployed third-party VPN software such as SoftEther on victim computers in order to provide themselves with another means of accessing the network. In addition to targeted phishing attacks, the group also leveraged publicly available exploit code for vulnerabilities in VPN services used by victim organizations, which they discovered by scanning the Internet for unpatched servers connected directly to the Internet with a public-facing IP address.