# Chinese APT Groups ## **APT41 (Winnti Group)** * **Affiliation:** Chinese state-sponsored * **Activities:** Known for dual espionage and cybercrime operations, targeting healthcare, high-tech, telecommunications sectors, and the video game industry. Unique for its financially motivated activities alongside state-sponsored espionage. * **Targets:** Healthcare, high-tech, telecommunications, video game industry. * **TTPs (Tactics, Techniques, Procedures):** * **Supply chain compromises:** [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/) * **Use of backdoors and RATs:** [Remote Access Software](https://attack.mitre.org/techniques/T1219/) * **Financially motivated cybercrime activities:** [Resource Development](https://attack.mitre.org/tactics/TA0042/) * **Exploitation of software vulnerabilities:** [Exploitation for Privilege Escalation, Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1068/) * **Data exfiltration and intellectual property theft:** [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/) * **Notable Incidents:** * **Global Cyber Espionage:** Targeting multiple industries, including the theft of intellectual property from healthcare, high-tech, and telecommunications sectors. APT41 used sophisticated techniques to gain access to sensitive data and research. [Read more](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt41.pdf) * **Video Game Industry Attacks (2020):** Stealing in-game currency and intellectual property from major gaming companies. This involved compromising game servers and developer accounts. [Read more](https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-group.html) * **US Healthcare Sector (2019):** Targeted the US healthcare sector, stealing patient data and intellectual property related to medical research. APT41 used spear-phishing and malware to infiltrate healthcare organizations. [Read more](https://www.dhs.gov/sites/default/files/publications/CRR-APT41-Activities-Report.pdf) * **Global Universities (2020):** Conducted cyber espionage against universities worldwide, stealing research data related to biotechnology and other advanced fields. APT41 used sophisticated malware to maintain persistent access. [Read more](https://www.fireeye.com/blog/threat-research/2020/08/apt41-global-universities-espionage.html) * **US Gaming Industry (2021):** Targeted the US gaming industry, stealing game source code and other valuable data. This operation involved the use of advanced malware and exploitation of vulnerabilities in gaming platforms. [Read more](https://www.recordedfuture.com/apt41-us-gaming-attacks) ## **APT40 (Leviathan)** * **Affiliation:** Chinese Ministry of State Security (MSS) * **Activities:** Active since at least 2009, targeting governmental organizations, companies, and universities in industries such as biomedical, robotics, and maritime research. Known for stealing trade secrets and intellectual property. * **Targets:** Governmental organizations, biomedical, robotics, maritime research sectors. * **TTPs:** * **Spear-phishing:** [Spearphishing Attachment, Spearphishing Link, Spearphishing via Service](https://attack.mitre.org/techniques/T1566/) * **Exploitation of vulnerabilities:** [Exploitation for Privilege Escalation, Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1068/) * **Use of malware like PlugX and Winnti:** [Malware](https://attack.mitre.org/techniques/T1505/) * **Data exfiltration:** [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/) * **Intellectual property theft:** [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/) * **Notable Incidents:** * **Maritime Industry Targeting (2019):** APT40 focused on naval and shipping companies, stealing sensitive information related to shipbuilding and maritime operations. This involved the use of spear-phishing and custom malware to infiltrate maritime organizations. [Read more](https://www.cfr.org/cyber-operations/apt40) * **Academic Institutions (2020):** APT40 conducted cyber espionage against academic institutions, focusing on research data related to biomedical and robotics fields. This involved the use of advanced malware and exploitation of software vulnerabilities. [Read more](https://portswigger.net/daily-swig/who-is-behind-apt40-what-we-know-about-this-nation-state-cybercrime-group) * **Defense Contractors (2021):** Targeted defense contractors, stealing information related to military technologies. APT40 used spear-phishing and custom malware to gain access to sensitive defense-related data. [Read more](https://www.cfr.org/cyber-operations/apt40) ## **APT43** * **Affiliation:** Chinese state-sponsored * **Activities:** Known for cyber espionage and targeting NGOs, private companies, and government organizations. Often involved in operations aligned with China's geopolitical interests. * **Targets:** NGOs, private companies, government organizations. * **TTPs:** * **Spear-phishing:** [Spearphishing Attachment, Spearphishing Link, Spearphishing via Service](https://attack.mitre.org/techniques/T1566/) * **Use of RATs and backdoors:** [Remote Access Software](https://attack.mitre.org/techniques/T1219/) * **Credential theft:** [Credential Dumping](https://attack.mitre.org/techniques/T1003/) * **Network reconnaissance:** [Discovery](https://attack.mitre.org/tactics/TA0007/) * **Data exfiltration:** [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/) * **Notable Incidents:** * **South Korean Government Hack (2018):** APT43 targeted the South Korean government, stealing sensitive political and military information. This operation involved sophisticated spear-phishing campaigns and the use of remote access tools to exfiltrate data. [Read more](https://www.fireeye.com/blog/threat-research/2018/11/apt38-unraveling-the-north-korean-lazurus-operations.html) * **South Korean Media Hack (2019):** Infiltrated South Korean media organizations, aiming to influence public opinion by spreading propaganda and misinformation. APT43 used spear-phishing and custom malware to gain access to media networks. [Read more](https://www.recordedfuture.com/north-korean-apt-group-kimsuky-targeting-south-korea/) * **South Korean Defense Contractors Hack (2020):** Targeted South Korean defense contractors to steal information related to military technologies. APT43 used advanced malware and network reconnaissance techniques to achieve their objectives. [Read more](https://www.cfr.org/cyber-operations/apt43) * **Operations in South China Sea (2020):** APT43 targeted entities in the South China Sea region to support China's geopolitical interests, focusing on maritime research and defense-related information. [Read more](https://www.cfr.org/cyber-operations/apt43) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://calvin-lai.gitbook.io/calvin-lai-security/threat-intelligence/advanced-persistent-threat-apt-groups/chinese-apt-groups.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.