Moonlight for profit, Chinese government hackers suspect

US firm FireEye said members of the group calling it Advanced Persistent Threat 41 penetrated and spied on global technology, communications and healthcare providers for the Chinese government as they used ransomware against game companies and attacked cryptocurrency providers for personal gain.

One of the most effective hacker teams backed by the Chinese government is also conducting financially motivated side operations, cyber security researchers said on Monday.

The findings, announced at the Black Hat security conference in Las Vegas, show how some of the world’s most advanced hackers increasingly pose a threat to consumers and companies that are not traditionally targeted by state-sponsored espionage campaigns. .

“APT41 is unique among the China-Nexus actors that we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain,” said FireEye senior vice president Sandra Joyce.

Officials in China did not immediately respond to Reuters‘ request for comment. Beijing has repeatedly denied Western allegations of widespread cyber espionage.

FireEye said the APT 41 group used some of the same tools as another group it has previously reported on, which FireEye calls APT17 and Russian security firm Kaspersky calls Winnti.

FireEye, which sells internet security software and services, said an APT41 member advertised as a hire hacker in 2009 and listed hours of availability outside of normal workday, circumstantial evidence of moonlight.

Current and former Western intelligence officials told Reuters Chinese hacker groups were known to prosecute trade crimes along with their state-backed operations.

The group has used emails or tricks designed to extract login information. But he has also deployed root kits, which are relatively rare and give difficult control to be detected on computers. Overall, the group used about 150 unique pieces of malware, FireEye said.

The most impressive feats technically involved coloring millions of copies of a device called CCleaner, now owned by security company Avast. Only a handful of specially selected high-value computers were compromised, making it more difficult to detect a hack.

Avast said he had been working with security and law enforcement researchers to stop the attack and that no damage was discovered. The company had no immediate further comment on Wednesday.

In March, Kaspersky found that the group hijacked the process of updating the Asus software to reach more than 1 million computers, again targeting a much smaller number of end users. Asus said the next day it had issued a fix for the attack, which affected “a small number of devices”.

“We have evidence that at least one telecom company may have been the intended target during the Asus compromise, which is consistent with the APT41’s espionage intentions over the past two years,” FireEye spokesman Dan Wire said.

But cyber security company FireEye and Slovakia’s ESET said the gaming compromises match financial motives more than national espionage. Among other things, the group gained access to a game’s production environment and generated virtual coins worth tens of millions of dollars, FireEye said./

Stay updated with INFOEUROPEFX to find out the latest news about technology.