American justice continues its work of undermining Chinese hackers. After the indictment this summer of two of them, the US Department of Justice made public, Wednesday, September 16, that of five new Chinese hackers and two of their alleged accomplices.
These hackers belong to a nebula known as the white wolf by intelligence agencies around the world and the cybersecurity industry. American justice affirms, in fact, to put names and faces on Winnti (or APT41) – a group with sometimes vague contours which harass for several years with its hacks hundreds of companies around the world.
About a hundred businesses affected
Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang, Chinese nationals between the ages of 35 and 37, are accused among other things of hacking, identity theft and money laundering. Two accomplices of Zhang Haoran and Tan Dailin, two Malaysian businessmen aged 46 and 32, Wong Ong Hua and Ling Yang Ching, are targeted by charges of racketeering, identity theft and money laundering . They were arrested Monday in their country and are being held by the police with a view to their extradition to the United States, where they face several decades in prison. The five hackers are still in China.
The indictment document, published by the American justice system, is an incredible list of victims and the techniques used to hack them. A hundred companies are mentioned by American justice as victims of this group of hackers. Many sectors of the economy have been affected: tourism, pharmaceutical industry, video games, telecom, as well as universities and NGOs.
Three of the accused hackers – Jiang Lizhi, Qian Chuan and Fu Qiang – work for Chengdu 404 Network Technology Co. On the other side, it is a cybersecurity company like so many others, which has a headquarters in Chengdu and boasts of its “white hat” hackers, specialized in detecting security breaches in their customers. On the stack side, its employees take advantage of this comfortable blanket to indulge in all-out piracy.
In particular, they targeted an American social network, which the indictment document does not name. They are also accused of having created dozens of fake accounts on the same social network in order to approach certain employees working for the companies they were targeting. They also allegedly hacked the provider of an encrypted messaging “Popular” between 2015 and 2020, sent ransomware against an anti-poverty NGO and a telecommunications company in Taiwan. They are also adept at cryptojacking, a technique that involves taking control of a victim’s computers or servers to use their computing power to generate cryptocurrency. Finally, they have to their credit several so-called “supply chain hacks” ». Particularly complex to implement, the latter consists, rather than attacking its final target, aiming upstream and inserting itself discreetly – by hacking – into a software that the latter uses and bypassing its defenses.
A specialty: video games
But if there is one area where this little group feels at home, it’s video games. According to American justice, Zhang Haoran and Tan Dailin would have specialized, since 2014, in hacks targeting the most lucrative companies in the sector, in particular those offering players virtual currencies or items to buy inside the game. Once inside the computer systems of these companies, the two hackers attributed to user accounts that they had previously created large quantities of objects or virtual currency. These were then sold massively to other players – the real ones. This is where the two Malaysians arrested Monday come into play: they were the owners of SEA Gamer Mall, a platform where players could buy the loot of hackers.
Only companies outside of China were targeted: “It’s really illegal, so we do it abroad”, wrote Mr. Wong, quoted in the indictment document, to one of his accomplices. American justice does not name him, but a French video game studio paid the price for these pirates. It was Mr. Wong, who suggested attacking him, having noticed that the game developed by the French company could be lucrative.
This confirms the interest of the Winnti group in this sector: if the American justice does not give any name, the German press had revealed that the German company Gameforge had been compromised in 2011, as well as Valve. Likewise, the specialized company Eset had noted that the game Infestation, developed by the Thai studio Electronic Extreme had also been hacked by Winnti.
The ridiculous amounts cited
All the facts alleged against the pirates may be villainous in nature, the American justice is very discreet concerning the sums stolen by the five indicted hackers. When she quotes figures, they are ridiculous. A report from the specialist company FireEye, after investigating the hacking of a video game company, had established that the accounts held by the hackers had credited, within three hours, with “Tens of millions of dollars” in virtual currency. A customary Chinese pirate revealed in 2014 in a specialized publication that this type of activity could bring in up to 13,000 euros per month for a pirate.
By reproducing some of their discussions, the indictment document allows us to penetrate the privacy of these hackers, who got to know each other just under ten years ago, when they worked for companies specializing in cybersecurity – a facade , already, for their cybercriminal activities. So we can guess the excitement of one of them, when he uses one of his particularly effective tools: “It’s like playing the lottery”, he wrote to one of his associates. Sometimes a form of casualness, even routine, shines through. To his colleague, who complains about the lack of success of his recent « cryptojacking », Jiang Lizhi provides advice: “France and Italy are pretty good, a lot of well-known companies, and most not in technology. Just find Chinese and Italian companies and do them [pirate-les]. »
A message to the Chinese government
There is little chance that the indicted pirates will ever be brought to justice in the United States. Rather, the purpose of the accusation is to send a message, by ricochet, to the Chinese government. Washington accuses Beijing of averting its eyes from the villainous activity of pirate groups in order to be able to use them, punctually but regularly, for economic espionage missions, which Washington is trying by all means to counter.
Because if the indictment is discreet about the economic espionage activities of the Winnti group, they are real: in chemistry, high-tech or medicine, in Europe, in the United States or in Southeast Asia, the group is hyperactive. “The Chinese Communist Party has made China a safe place for its own cybercriminals, as long as they help it achieve its goals of stealing intellectual property and suppressing freedoms,” tackled Jeffrey Rosen, the Deputy Minister of Justice, at a press conference.
One of the group’s pirates, whose pseudonym was identified in 2013, was indicted five years later by the American justice system for his involvement in a vast industrial espionage operation which notably targeted the French company Safran. According to American justice, this pirate worked directly for Chinese intelligence. Thus, the same address belonging to the Winnti group can be used in the morning to spy on a Taiwanese newspaper, and in the evening to hack a cryptocurrency exchange site. Companies specializing in high-level hacker tracking are sure: the Winnti Group is also behind the spectacular hack of CCleaner, a hugely popular computer troubleshooting software that served as the gateway to a sophisticated spy operation. The traces of the group were also found in a very close hack, that of thousands of Asus brand computers.
This indictment is unlikely to end the porosity between Chinese intelligence and the country’s cybercriminals. It’s not even certain that she scares the pirates of the Middle Empire. In 2018, one of them pretended to panic: “The Americans are after me. The Americans have stuff on us. “ This did not discourage them, however.