Home Bootcamps Chinese cyber espionage bootcamps have been training recruits in the art of supply chain attacks for over a decade

Chinese cyber espionage bootcamps have been training recruits in the art of supply chain attacks for over a decade



SALT LAKE CITY – (COMMERCIAL THREAD) – Venafi®, the inventor and leading provider of machine identity management, today released a new report analyzing the attack patterns of the Chinese state-backed hacking group, APT41 (also known as Winnti group). Research, APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks, shows that:

  • APT41 is unique among China-based threat groups because they exploit specially designed, non-public malware typically reserved for spy activity for financial gain, likely outside of state-sponsored missions.

  • Critical to the success of this method of attack, APT41 has made code signing keys and certificates – which serve as machine identities that authenticate code – a primary target.

  • Compromised code signing certificates are used as a shared resource for large attacking teams, as they act as an attack force multiplier and greatly increase the chances of success.

  • This long-term strategic direction is a primary factor in APT41’s ability to successfully compromise a wide range of high-value targets across multiple industries including healthcare, foreign governments, pharmaceuticals, airlines. , telecommunications and software providers.

Venafi warns that APT41’s success means that their unique use of compromised code signing machine identities and supply chain attacks will become the preferred method of other threat groups.

“APT41 has repeatedly used code signing machine identities to orchestrate a series of large-scale attacks that support China’s long-term economic and political goals and military objectives,” commented Yana Blachman, Specialist intelligence on threats at Venafi. “The identities of code signing machines allow malicious code to appear genuine and evade security checks. The success of attacks using this model over the past decade has created a model of sophisticated attacks that have been very successful because they are very difficult to detect. Since the targeting of Windows CCleaner software utility in 2018 and ASUS LiveUpdate in 2019, APT41’s methods continue to improve. Every software vendor should be aware of this threat and take action to protect their software development environments.

One of APT41’s preferred entry methods is to compromise the supply chain of a commercial software vendor. This allows them to effectively target a group of companies that use the commercial software to access carefully chosen victims. APT41 then uses secondary malware to infect only targets of interest for cyber espionage. Once compromised, APT41 spread laterally across victims’ networks using stolen credentials and various recognition tools. APT41 uses unique malware to steal valuable intellectual property and customer data only from these very specific targets.

The identities of the code signing machines are so crucial to APT41’s attack methods that the group actively maintains a library of code signing certificates and keys stolen or purchased from underground dark web markets and others. Chinese attack groups to boost their supplies. Previous research by Venafi has shown that code signing certificates are readily available for purchase on the dark web, selling for up to $ 1,200 each.

“Today’s attackers are disciplined and highly skilled software developers, using the same tools and techniques as the good guys,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “They recognize that vulnerabilities in the software construction environment are easy to exploit, and they have spent years developing, testing and refining the tools necessary to steal identities from code signing machines. This research should raise alarm bells with every executive and board of directors, as every company today is a software developer. We need to take the protection of the identities of code signing machines much more seriously. ”

About Venafi

Venafi is the cybersecurity market leader in managing machine identities, securing connections and machine-to-machine communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL / TLS, SSH, code signing, mobile and IoT. Venafi provides holistic visibility into machine identities and their associated risks to the extended enterprise (on-premises, mobile, virtual, cloud and IoT) at machine speed and scale. Venafi puts that intelligence into action with automated remediation that reduces the security and availability risks associated with weak or compromised machine identities while protecting the flow of information to trusted machines and preventing communication with untrusted machines. .

With over 30 patents, Venafi provides innovative solutions to the most demanding and security-conscious Global 5000 organizations and government agencies, including the five largest US health insurers; the top five US airlines; the top four credit card issuers; three of the top four accounting and consulting firms; four of the top five US retailers; and the top four banks in each of the following countries: the United States, the United Kingdom, Australia and South Africa.

For more information, visit: www.venafi.com.