Meet APT41, the Chinese hackers moonlighting for personal gain

In a first for China-based group, FireEye said, the hackers are using malware typically reserved for spying for personal gain.

Members of a Chinese state-sponsored hacking group have been using their skills to enrich themselves for years in operations targeting the gaming industry, cybersecurity company FireEye announced Wednesday.

By day, the group, dubbed APT41, conducts espionage in the health care, telecommunications and education sectors, FireEye said. By night, those same hackers have manipulated virtual currency in the gaming sector and, in one case, they tried to deploy ransomware to line their pockets.

In a first for China-based group, FireEye said, the swindling involves malware typically reserved for spying.

“Their aggressive and persistent operations for both espionage and cybercrime purposes distinguish APT41 from other adversaries and make them a major threat across multiple industries,” said Sandra Joyce, FireEye’s senior vice president of global threat intelligence.


APT41’s unveiling comes as the U.S. and China are locked in a bitter trade dispute, and after years of U.S. officials alleging that the Chinese government has sponsored cyber-economic espionage. In multiple indictments, U.S. officials have accused Beijing-backed hackers of stealing intellectual property (IP). China has denied the allegations. For its part, APT41 doesn’t seem to have stolen IP since late 2015, according to FireEye.

The dossier on APT41 stretches back years, and overlaps with what other companies call Barium or Winnti, which are related groupings of Chinese-speaking hackers. Sometime after 2012, the group now labeled APT41 expanded from money-making campaigns to activity that was likely state-backed, according to FireEye. They then maintained a balance between their state-sponsored work and the financially-motivated moonlighting.

APT41’s far-flung activity reflects the global nature of the supply chain and the multinational companies targeted. The group has gone after organizations in India, Italy, South Korea, Switzerland, Turkey, the United Kingdom and the United States, among other countries, according to FireEye.

The group has been relentless in pursuit of its goals, regaining a foothold in networks when computer specialists drive them out.

“We’ve ousted them from networks only to find them come back in force very shortly after,” said John Hultquist, director of intelligence analysis at FireEye.


APT41’s hackers have hit multiple telecommunications companies in the last couple years, extracting call and SMS records on foreign government officials and other targets, said Nalani Fraser, FireEye’s senior manager of intelligence analysis. Those spying operations differ from another Chinese espionage campaign documented by Cybereason in June, which hit about 10 cellular providers in Africa, Europe, the Middle East and Asia.

The news is reminiscent of North Korean hackers who, researchers say, are responsible for raking in a certain amount of money for Pyongyang through cybercrime. But whereas that theft has been vast, this was on a smaller scale, according to Fraser. If the APT41 hackers were able to cash out on cryptocurrency they generated, they did so and moved on to their next target, she added.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts