More Evidence of the Persistent China Threat to the US

Exactly how much is the United States going to tolerate?

Not only is the United States and the Western world concerned about the constant military threat of China in the South China Sea but the cyber war continues.

Just read through this Department of Justice report for context –>

Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research

Indictment Alleges Three Defendants Were Officers in the Hainan State Security Department (HSSD), a provincial arm of China’s Ministry of State Security (MSS)

A federal grand jury in San Diego, California, returned an indictment in May charging four nationals and residents of the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018. The indictment, which was unsealed on Friday, alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes. The defendants and their Hainan State Security Department (HSSD) conspirators sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun), since disbanded, to operate out of Haikou, Hainan Province.

The two-count indictment alleges that Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), were HSSD officers responsible for coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities. The indictment alleges that Wu Shurong (吴淑荣) was a computer hacker who, as part of his job duties at Hainan Xiandun, created malware, hacked into computer systems operated by foreign governments, companies and universities, and supervised other Hainan Xiandun hackers.

The conspiracy’s hacking campaign targeted victims in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom. Targeted industries included, among others, aviation, defense, education, government, health care, biopharmaceutical and maritime. Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects). At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg and tularemia.

As alleged, the charged MSS officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the conspiracy’s goals. Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address.

“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” said Deputy Attorney General Lisa O. Monaco. “The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft.”

“The FBI, alongside our federal and international partners, remains committed to imposing risk and consequences on these malicious cyber actors here in the U.S. and abroad,” said Deputy Director Paul M. Abbate of the FBI. “We will not allow the Chinese government to continue to use these tactics to obtain unfair economic advantage for its companies and commercial sectors through criminal intrusion and theft. With these types of actions, the Chinese government continues to undercut its own claims of being a trusted and effective partner in the international community.”

“This indictment alleges a worldwide hacking and economic espionage campaign led by the government of China,” said Acting U.S. Attorney Randy Grossman for the Southern District of California. “The defendants include foreign intelligence officials who orchestrated the alleged offenses, and the indictment demonstrates how China’s government made a deliberate choice to cheat and steal instead of innovate. These offenses threaten our economy and national security, and this prosecution reflects the Department of Justice’s commitment and ability to hold individuals and nations accountable for stealing the ideas and intellectual achievements of our nation’s best and brightest people.”

“The FBI’s San Diego Field Office is committed to protecting the people of the United States and the community of San Diego, to include our universities, health care systems, research institutes, and defense contractors,” said Special Agent in Charge Suzanne Turner of the FBI’s San Diego Field Office. “The charges outlined today demonstrate China’s continued, persistent computer intrusion efforts, which will not be tolerated here or abroad. We stand steadfast with our law enforcement partners in the United States and around the world and will continue to hold accountable those who commit economic espionage and theft of intellectual property.”

The defendants’ activity had been previously identified by private sector security researchers, who have referred to the group as Advanced Persistent Threat (APT) 40, BRONZE, MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope and Temp.Jumper.

According to the indictment, to gain initial access to victim networks, the conspiracy sent fraudulent spearphishing emails, that were buttressed by fictitious online profiles and contained links to doppelgänger domain names, which were created to mimic or resemble the domains of legitimate companies. In some instances, the conspiracy used hijacked credentials, and the access they provided, to launch spearphishing campaigns against other users within the same victim entity or at other targeted entities. The conspiracy also used multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand and maintain unauthorized access to victim computers and networks. The conspiracy’s malware included those identified by security researchers as BADFLICK, aka GreenCrash; PHOTO, aka Derusbi; MURKYTOP, aka mt.exe; and HOMEFRY, aka dp.dll. Such malware allowed for initial and continued intrusions into victim systems, lateral movement within a system, and theft of credentials, including administrator passwords.

The conspiracy often used anonymizer services, such as The Onion Router (TOR), to access malware on victim networks and manage their hacking infrastructure, including servers, domains and email accounts. The conspiracy further attempted to obscure its hacking activities through other third-party services. For example, the conspiracy used GitHub to both store malware and stolen data, which was concealed using steganography. The conspiracy also used Dropbox Application Programming Interface (API) keys in commands to upload stolen data directly to conspiracy-controlled Dropbox accounts to make it appear to network defenders that such data exfiltration was an employee’s legitimate use of the Dropbox service.

Coinciding with today’s announcement, to enhance private sector network defense efforts against the conspirators, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a Joint Cybersecurity Advisory containing these and further technical details, indicators of compromise and mitigation measures.

The defendants are each charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit economic espionage, which carries a maximum sentence of 15 years in prison. The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencings of the defendants will be determined by the assigned judge.

The investigation was conducted jointly by the U.S. Attorney’s Office for the Southern District of California, the National Security Division’s Counterintelligence and Export Controls Section, and the FBI’s San Diego Field Office. The FBI’s Cyber Division, Cyber Assistant Legal Attachés and Legal Attachés in countries around the world provided essential support. Numerous victims cooperated and provided valuable assistance in the investigation.

Assistant U.S. Attorneys Fred Sheppard and Sabrina Feve of the Southern District of California and Trial Attorney Matthew McKenzie of the National Security Division’s Counterintelligence and Export Control Section are prosecuting this case.

***   source

The threat however does not end in the cyber realm, there is the matter of nuclear weapons. Just days ago, China threatened Japan, an ally of the United States with a nuclear attack over the matter of Taiwan.

“We will use nuclear bombs first. We will use nuclear bombs continuously. We will do this until Japan declares unconditional surrender for the second time,” a threatening video circulated among official Chinese Communist Party channels warns.

“When we liberate Taiwan, if Japan dares to intervene by force – even if it only deploys one soldier, one plane or one ship – we will not only return fire but also wage full-scale war against Japan itself.”

Tensions between Tokyo and Beijing have spiked high in recent weeks.

Deputy Prime Minister Taro Aso said: “We must defend Taiwan, under our alliance with the US”.

Defence Minister Yasuhide Nakayama added Japan and the US must “protect Taiwan as a democratic country”.

This was not what Beijing wanted to hear.

 

“We will never allow anyone to intervene in the Taiwan question in any way,” retorted Chinese foreign ministry spokesman Zhao Lijian at a press briefing last week.

But a Chinese Communist Party approved video channel with close ties to the People’s Liberation Army (PLA) took the anger to the next level.

*** Is the Biden administration taking anything seriously? Rather Kamala? Recently Foreign Policy magazine published in part the following:

For the past couple of months, a rumor has been going around Washington that China might be dramatically expanding its arsenal of nuclear-armed intercontinental ballistic missiles (ICBMs) that can strike the United States. I had heard that rumor and so had many of my colleagues.

According to a report released by the U.S. Defense Department last September, China had about 100 of those missiles but was expected to double that number in the coming years. Read in full here.

Hunter Gets Big Money for his Paintings Likely Due to his Shady Art Dealer

Any officials investigating for criminal activity other than the strident journalists at the New York Post? (rhetorical)

Hat tip:

As federal prosecutors continue their criminal probes into Hunter Biden’s taxes and international business dealings, the President’s son — shuttling between Washington DC and a sprawling Los Angeles home — is lying low, consulting with lawyers and focusing on his new career in art.Hunter1.The Georges Berges Gallery at 462 West Broadway in Soho.

Helayne Seidman

Biden, who turns 51 next week, is prepping a solo show with Soho art dealer Georges Berges, who currently represents Sylvester Stallone. Berges was once arrested for “terrorist threats” and assault with a deadly weapon in California and has strong ties to China.

Biden, who continues to hold business interests in a billion-dollar Chinese investment firm, recently moved to a sprawling Venice Beach rental with his wife Melissa Cohen and 10 month old son, according to the Daily Mail. He was previously living in a Hollywood Hills home where he had set up an art studio.hollywood-hills-hunter-biden-3 source

That home is connected to Shane Khoh, a Los Angeles-based entrepreneur and real estate investor who is CEO of SXU Investment Holdings LLC, the California company that has owned the $3.8 million property since 2011, according to public records. Khoh, an American who is fluent in Chinese, sits on the board of Siong Heng Realty Pte Ltd., a Singapore-based real estate holding company, according to his LinkedIn profile. He is also listed as a “venture partner” of Diverse Communities Impact Fund, a private-equity group that features former Democratic New Mexico Gov. Bill Richardson on its board of advisors.

The house was featured in a New York Times profile of Biden as an emerging abstract painter last year. Last year Khoh told The Washington Examiner that Biden was paying $12,000 a month for the property, which features a pool house that Biden has turned into an art studio. Khoh denied any prior relationship with Biden to the newspaper.

But when The Post asked this week about his arrangements with his tenant, Khoh clammed up: “I have nothing to say about Hunter Biden. I have no comment.”

Biden and his family have since moved into a $5.4 million Venice Beach home owned by Sweetgreen co-founder and CEO Jonathan Neman, according to the Daily Mail report.

Others in Biden’s orbit were even more reticent.

Calls to Lunden Alexis Roberts, an Arkansas stripper who sued Biden for paternity and child support after the birth of their 2-year-old daughter, refused comment, as did her lawyer. It is not known how much Biden is paying in child support for “Baby Doe,” as she is referred to in court papers. The father of five had initially argued that the child was not his, and repeatedly tried to delay the case. Roberts, who met Biden at a Washington, DC, strip club where she used to work, said in a December 2019 court filing that Biden had not provided any financial support for the child.

Although Biden has divested himself of many of his old business interests, he does not seem to be hard up for cash. He has been seen driving around Los Angeles in a Porsche Panamera, which retails for more than $90,000. He retains control of a limited liability corporation that has a 10 percent stake in BHR Partners, a Chinese private-equity firm with $2 billion in assets and partly owned by the Bank of China, according to reports.

Biden’s stake in the Chinese firm is owned by Skaneateles LLC, a company named for his mother Neilia Hunter Biden’s upstate New York hometown. The company has used the Hollywood Hills home as one of its addresses. Neilia, Joe Biden’s first wife, died in a 1972 car crash in Delaware that also killed Biden’s 1-year-old sister Naomi. Hunter Biden and his older brother Beau, who were toddlers, were injured in the accident.

“It’s like a lottery ticket he has in his hand with a 10 percent stake in a company worth billions,” said a source. “Just imagine if that company is worth $2 billion, Biden takes home $200 million.”

Biden’s convoluted international business dealings became a heated political issue in the final months of the 2020 presidential campaign after The Post revealed a trove of emails from Hunter’s laptop that raised questions about then-candidate Joe Biden’s ties to his son’s foreign business ventures, including Burisma. The Ukrainian energy company reportedly paid Hunter $50,000 a month between 2014 and 2019 to sit on its board of directors. Hunter Biden is also accused of promoting the interests of CEFC China Energy Co, a Chinese conglomerate that was to pay him more than $10 million a year for introductions to officials in Washington.

Last year, a federal watchdog called on the Department of Justice to launch “a full investigation” of Hunter Biden, who they claim did not register under federal Foreign Agent Registration Act rules that govern those lobbying for a foreign entity.

“Hunter Biden’s tangled web of shell companies, LLCs, investment vehicles, and options agreements make it virtually impossible to know where he is getting income from,” said Thomas Anderson, director for the National Legal Policy Center, adding that circumventing the FARA regulations allowed Biden and his associates to operate under the radar.

Selling his abstract artwork to wealthy investors may also be a lucrative way to rake in cash, Anderson said. “We highly doubt, however, a career as an artist will do anything more than act as a vehicle to further shield where that income is coming from,” he said.

But Hunter Biden told The Times he had another reason for turning to art. Painting is “literally keeping me sane right now,” he said, adding that it helped him in his battles with addiction to drugs and alcohol.

“If I didn’t know who it was and I saw it for the first time, I would think it was pretty interesting stuff. He’s got talent,” New York art critic Anthony Haden-Guest told The Post.

The paintings feature pastel bursts of flowers and other shapes made with layers of alcohol ink that he blows with a metallic straw onto Japanese Yupo paper, a smooth synthetic material made from recycled paper.

Biden’s new dealer, who opened his Soho gallery in 2015, is tight-lipped about his galleries in New York and Berlin, which are reportedly frequented by Spike Lee, Dave Chapelle and Susan Sarandon as well as international titans of industry.

“He’s got this Woody Allen look to him … He’s crazy in a good way,” one artist who’s worked with Berges told The Post.

Berges, 44, regularly features works by Chinese artists and told a Chinese network that he was keen to open other art galleries in Beijing and Shanghai in 2015. “The questions that I always had was how’s China changing the world in terms of art and culture,” Berges told the China Daily in 2014.

Berges was accused of defrauding an investor in a 2016 federal lawsuit. Ingrid Arneberg claims she invested $500,000 in Berges’ gallery for a promised expansion, but instead he used the cash to pay off old debts. Berges later countersued Arneberg, and the case was settled in 2018.

In 1998, he was charged with assault with a deadly weapon and making “terrorist threats,” which were dismissed. He pled “no contest” to the assault and received 36 months probation and served 90 days in jail, according to Santa Cruz Superior Court documents — the only information publicly available about the case.

Berges did not return several messages seeking comment. A worker at his gallery in Soho told The Post he didn’t know anything about Hunter Biden’s solo exhibition, which is scheduled for later this year, according to reports.

George Mesires, a lawyer for Hunter Biden did not return The Post’s calls.

 

Proof There are Bats Inside the Wuhan Lab

Primer question: Will social media shut down this article? It has evidence and comes from renowned scientists including at MIT.

Back in early 2020, during the middle of the nationwide lockdown, this site published two items, here and here regarding the Wuhan Institute of Virology and that bats were in fact at the center of the cause of the pandemic.

Recently, former President Trump told media that the United States should demand at least $10 trillion from China due to the various forms of destruction and death by China. He is right. Frankly, the United States should declare all the debt load that China carries in the form of loans for the United States paid in full. Further, President Trump was exactly right to defund the World Health Organization and in fact it should be criminally charged for death and destruction.

*** The WIV had been genetically sequencing the mine virus in 2017 and 2018, analyzing it in a way they had done in the past with other viruses in preparation for running experiments with them.

For years, concerned scientists have warned that this type of pathogen research was going to trigger a pandemic. Foremost among them was Harvard epidemiologist Marc Lipsitch, who founded the Cambridge Working Group in 2014 to lobby against these experiments. In a series of policy papers, op-eds, and scientific forums, he pointed out that accidents involving deadly pathogens occurred more than twice a week in U.S. labs, and estimated that just 10 labs performing gain-of-function research over a 10-year period would run a nearly 20 percent risk of an accidental release. In 2018, he argued that such a release could “lead to global spread of a virulent virus, a biosafety incident on a scale never before seen.”

Thanks in part to the Cambridge Working Group, the federal government briefly instituted a moratorium on such research. By 2017, however, the ban was lifted and U.S. labs were at it again. Today, in the United States and across the globe, there are dozens of labs conducting experiments on a daily basis with the deadliest known pathogens. One of them is the Wuhan Institute of Virology. For more than a decade, its scientists have been discovering coronaviruses in bats in southern China and bringing them back to their lab in Wuhan. There, they mix genes from different strains of these novel viruses to test their infectivity in human cells and lab animals. source

 

Now we appear to have video evidence that came from an Australian media source.

As a reminder, the United States was not the only country that not only gave funding to ‘gain of function’ to the WIV but Australia did as well. More research paper summaries are surfacing as well as additional evidence that includes patent applications. The scientific theory now is that the WIV modeled the function of the virus to be more lethal in the transmission of human to human, altering it from animal to human.

So, where is Dr. Fauci on this? His emails did not include anything that resembled an inquiry of gain of function or bats.

There were live bats in the Wuhan Institute of Virology ... that is a bat hanging off the lab workers hat.

***

The Wuhan Institute of Virology (WIV) was found to have filed patents for “bat rearing cages” and “artificial breeding” systems in the months before the coronavirus first emerged last December. WIV has been subject to international scrutiny as it was known to have been carrying out experiments on bat coronaviruses – and is located just miles from Covid’s ground zero.

And the allegations continue despite the World Health Organisation appearing to exonerate the lab in its findings after a mission to Wuhan – which since been branded a “whitewash”.

The new revelations about the bat cages raises more questions about the work the Chinese scientists – lead by Dr Shi Zhengli, known as Batwoman – were doing in the months leading up to the pandemic.

It had previously been denied that WIV was keeping any live bats on site – but an online profile of the lab reportedly claimed it has capacity to keep 12 bat cages.

WIV scientists filed patents in June 2018 and October 2020 for the cages and methods for breeding of bats, which are believed to be the natural reservoir of Covid.

The first patent was filed for “bat rearing cages” which would be “‘capable of healthy growth and breeding under artificial conditions”, reports the Mail on Sunday.

And the second patent relates to a method of “artificially breeding” of wild bats, and in the document it describes bats being “artificially” infected with coronaviruses.

It explains it is hoped the breeding scheme will allow them to create a “brand-new model experimental animal for scientific research”.

The patents raise yet further questions about the work of the shadowy lab which has been accused by the US of having links to the Chinese military.

It comes as the White House said it has “deep concerns” that the Chinese government may have interfered with WHO’s investigation into the origins of Covid.WHO investigator Peter Daszak, who has longstanding links with WIV, had previously claimed no live bats were being kept by the lab.

Last April, he said: “All bats are released back to their cave site after sampling. It’s a conservation measure and is much safer in terms of disease spread than killing them or trying to keep them in a lab.”

In December, he appeared to repeat the claim by stating labs he had worked with “DO NOT have live or dead bats in them. There is no evidence anywhere that this happened”.

Daszak had been a member of the ten-person WHO team who swung its weight behind the Chinese government’s effort to deflect blame over the origins with the virus.

The team all but ruled out the lab leak, suggested the virus may have come from outside of China, and appeared to place their focus on claims the virus may have come from frozen food.And then just days later, WHO investigator Dominic Dwyer backtracked as he said it likely did start in China, and later claimed the Communist Party authorities refused to hand over raw data.

He said: “Why that doesn’t happen, I couldn’t comment. Whether it’s political or time or it’s difficult .

“But whether there are any other reasons why the data isn’t available, I don’t know. One would only speculate.”

The WHO mission was tightly controlled and stage managed by China – and even saw the scientists visits a propaganda museum celebrating Wuhan’s fight against Covid.

The organisation itself is also facing questions about how it handled the early days of the pandemic, being accused by former US President Donald Trump of being “China-centric”.

26M Amazon, Facebook, Apple, eBay User Logins Stolen by Hackers

The private login information belonging to tens of millions of people was compromised after malware infiltrated over 3.2 million Windows-based computers during a two-year span.

According to a report by cybersecurity provider NordLocker, a custom Trojan-type malware infiltrated the computers between 2018 and 2020 and stole 1.2 terabytes (TB) of personal information.
As a result, hackers were able to get their hands on nearly 26 million login credentials including emails, usernames and passwords from almost a million websites, according to Nordlocker’s report, which was conducted in partnership with a third-party company specializing in data breach research.

The targeted websites include major namesakes such as Amazon, Walmart, eBay, Facebook, Twitter, Apple, Dropbox and LinkedIn.

Adobe breach far bigger than thought - 38 million records ...

The malware was transmitted through email and “illegal software” which included a pirated version of “Adobe Photoshop 2018, a Windows cracking tool, and several cracked games,” according to the report.

To steal the personal information, the malware was reportedly able to take screenshots of a person’s information and also photograph “the user if the device had a webcam.”

Among the stolen database were 2 billion browser cookies and 6.6 million files, including 1 million images and more than 650,000 Word and .pdf files.

“Cookies help hackers construct an accurate picture of the habits and interests of their target,” the report read. “In some cases, cookies can even give access to the person’s online accounts.”

Making up the bulk of the stolen database was “3 million text files, 900,00 image files, and 600,000+ Word files.”

What was of most concern, according to Nordlocker, was that “some people even use Notepad to keep their passwords, personal notes, and other sensitive information,” according to the report.

***

McDonald's discloses hack of customer data in South Korea ...

But now McDonald’s is the latest victim.

McDonald’s on Friday disclosed limited details of a data breach that may have exposed some customer data.

“While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed, some of which contained personal data,” a McDonald’s spokesperson said, adding that based on the company’s investigation so far, only Korean and Taiwanese customers were impacted.

The Wall Street Journal initially reported that U.S. markets were also impacted and that the breach exposed some U.S. business and employee contact information.

Those markets “will be taking steps to notify regulators and customers listed in these files,” which did not include customer payment information, the McDonald’s spokesperson said.

“McDonald’s understands the importance of effective security measures to protect information, which is why we’ve made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense,” the spokesperson said.

The fast-food chain said it was able to “quickly identify and contain” threats on its network. It also conducted a “thorough investigation” and worked with “experienced third parties” to do so.

McDonald’s did not share any additional details about the breach.

From Cyberscoop in part:

In other cases, by compromising payment machines, cybercriminals have swept up troves of customer data. That’s what happened in a 2019 breach of Checkers Drive-In Restaurants, when hackers accessed data such as payment card numbers and verification codes in an incident that affected more than 100 Checkers locations. The most notorious group to use the tactic is known as FIN7, a multibillion dollar criminal enterprise that has targeted payment data at Chipotle, Red Robin and Taco’s John.

McDonald’s defended its cybersecurity practices on Friday.

“McDonald’s understands the importance of effective security measures to protect information, which is why we’ve made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense,” the company’s statement reads.

“Moving forward, McDonald’s will leverage the findings from the investigation as well as input from security resources to identify ways to further enhance our existing security measures.”

Airline Hacked by APT41

On March 4, 2021, SITA, an international provider of IT services for the air transport industry worldwide, said it had suffered a security incident. The announcement, however, was not getting the attention it deserved until Air India, one of SITA’s customers, reported a massive passenger data breach on May 21 caused by an earlier attack against SITA. Between March and May, various airline companies, including Singapore Airlines, Malaysia Airlines, and others, disclosed data breaches. All of those companies were SITA customers. After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply chain attacks in the airline industry’s history.

Using its external threat hunting tools, Group-IB’s Threat Intelligence team attributed the Air India incident with moderate confidence to the Chinese nation-state threat actor known as APT41. The campaign was codenamed ColunmTK.

On May 21, Air India, India’s flag carrier, published an official statement on their website about a data breach. The announcement revealed that the breach was caused by a February incident at the airline’s IT service provider, SITA PSS, which is responsible for processing customers’ personally identifiable information (PII). It came to light that the SITA cyberattack affected 4,500,000 data subjects globally, including data related to Air India’s customers.

On May 21, Air India, India’s flag carrier, published an official statement on their website about a data breach. The announcement revealed that the breach was caused by a February incident at the airline’s IT service provider, SITA PSS, which is responsible for processing customers’ personally identifiable information (PII). It came to light that the SITA cyberattack affected 4,500,000 data subjects globally, including data related to Air India’s customers. Significant attribution detail continues here.

***

The FBI defines the APT41 as:

From 2020:

A global hacking collective known as APT41 has been accused by US authorities of targeting company servers for ransom, compromising government networks and spying on Hong Kong activists.

Seven members of the group—including five Chinese nationals—were charged by the US Justice Department on Wednesday.

Some experts say they are tied to the Chinese state, while others speculate money was their only motive. What do we really know about APT41?

Who are they?

Five members of the group were expert hackers and current or former employees of Chengdu 404 Network Technology, a company that claimed to provide legitimate “white hat” hacking services to detect vulnerabilities in clients’ .

But the firm’s work also included malicious attacks on non-client organisations, according to Justice Department documents.

Chengdu 404 says its partners include a government tech security assessor and Chinese universities.

The other two hackers charged are Malaysian executives at SEA Gamer Mall, a Malaysia-based firm that sells video game currency, power-ups and other in-game items.

What are they accused of?

The team allegedly hacked the computers of hundreds of companies and organisations around the world, including healthcare firms, and telecoms and pharmaceutical providers.

The breaches were used to collect identities, hijack systems for ransom, and remotely use thousands of computers to mine for cryptocurrency such as bitcoin.

One target was an anti-poverty non-profit, with the hackers taking over one of its computers and holding the contents hostage using encryption software and demanding payment to unlock it.

The group is also suspected of compromising in India and Vietnam.

In addition it is accused of breaching video game companies to steal in-game items to sell back to gamers, the Justice Department court filings said.

How did they operate?

Their arsenal ran the gamut from old-fashioned phishing emails to more sophisticated attacks on software development companies to modify their code, which then allowed them access to clients’ computers.

In one case documented by security company FireEye, APT41 sent emails containing malicious software to human resources employees of a target just three days after the firm recovered from a previous attack by the group.

Wong Ong Hua and Ling Yang Ching, the two Malaysian businessmen, ordered their employees to create thousands of fake video game accounts in order to receive the virtual objects stolen by APT41 before selling them on, the court documents allege.

Is the Chinese government behind them?

FireEye says the group’s targeting of industries including healthcare, telecoms and news media is “consistent with Chinese national policy priorities”.

APT41 collected information on pro-democracy figures in Hong Kong and a Buddhist monk from Tibet—two places where Beijing has faced political unrest.

One of the hackers, Jiang Lizhi, who worked under the alias “Blackfox”, had previously worked for a hacking group that served government agencies and boasted of close connections with China’s Ministry of State Security.

But many of the group’s activities appear to be motivated by financial gain and personal interest—with one laughing in chat messages about mass-blackmailing wealthy victims—and the US indictments did not identify a strong official connection.

Where are they now?

The five Chinese hackers remain at large but the two businessmen were arrested in Malaysia on Monday after a sweeping operation by the FBI and private companies including Microsoft to block the hackers from using their online accounts.

The United States is seeking their extradition.

None of the men charged are known to have lived in the US, where some of their targets were located.

They picked targets outside Malaysia and China because they believed law enforcement would not be able to track them down across borders, the court documents said.