# Chinese APT Groups

## **APT41 (Winnti Group)**

* **Affiliation:** Chinese state-sponsored
* **Activities:** Known for dual espionage and cybercrime operations, targeting healthcare, high-tech, telecommunications sectors, and the video game industry. Unique for its financially motivated activities alongside state-sponsored espionage.
* **Targets:** Healthcare, high-tech, telecommunications, video game industry.
* **TTPs (Tactics, Techniques, Procedures):**
  * **Supply chain compromises:** [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)
  * **Use of backdoors and RATs:** [Remote Access Software](https://attack.mitre.org/techniques/T1219/)
  * **Financially motivated cybercrime activities:** [Resource Development](https://attack.mitre.org/tactics/TA0042/)
  * **Exploitation of software vulnerabilities:** [Exploitation for Privilege Escalation, Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1068/)
  * **Data exfiltration and intellectual property theft:** [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/)
* **Notable Incidents:**
  * **Global Cyber Espionage:** Targeting multiple industries, including the theft of intellectual property from healthcare, high-tech, and telecommunications sectors. APT41 used sophisticated techniques to gain access to sensitive data and research. [Read more](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt41.pdf)
  * **Video Game Industry Attacks (2020):** Stealing in-game currency and intellectual property from major gaming companies. This involved compromising game servers and developer accounts. [Read more](https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-group.html)
  * **US Healthcare Sector (2019):** Targeted the US healthcare sector, stealing patient data and intellectual property related to medical research. APT41 used spear-phishing and malware to infiltrate healthcare organizations. [Read more](https://www.dhs.gov/sites/default/files/publications/CRR-APT41-Activities-Report.pdf)
  * **Global Universities (2020):** Conducted cyber espionage against universities worldwide, stealing research data related to biotechnology and other advanced fields. APT41 used sophisticated malware to maintain persistent access. [Read more](https://www.fireeye.com/blog/threat-research/2020/08/apt41-global-universities-espionage.html)
  * **US Gaming Industry (2021):** Targeted the US gaming industry, stealing game source code and other valuable data. This operation involved the use of advanced malware and exploitation of vulnerabilities in gaming platforms. [Read more](https://www.recordedfuture.com/apt41-us-gaming-attacks)

## **APT40 (Leviathan)**

* **Affiliation:** Chinese Ministry of State Security (MSS)
* **Activities:** Active since at least 2009, targeting governmental organizations, companies, and universities in industries such as biomedical, robotics, and maritime research. Known for stealing trade secrets and intellectual property.
* **Targets:** Governmental organizations, biomedical, robotics, maritime research sectors.
* **TTPs:**
  * **Spear-phishing:** [Spearphishing Attachment, Spearphishing Link, Spearphishing via Service](https://attack.mitre.org/techniques/T1566/)
  * **Exploitation of vulnerabilities:** [Exploitation for Privilege Escalation, Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1068/)
  * **Use of malware like PlugX and Winnti:** [Malware](https://attack.mitre.org/techniques/T1505/)
  * **Data exfiltration:** [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/)
  * **Intellectual property theft:** [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/)
* **Notable Incidents:**
  * **Maritime Industry Targeting (2019):** APT40 focused on naval and shipping companies, stealing sensitive information related to shipbuilding and maritime operations. This involved the use of spear-phishing and custom malware to infiltrate maritime organizations. [Read more](https://www.cfr.org/cyber-operations/apt40)
  * **Academic Institutions (2020):** APT40 conducted cyber espionage against academic institutions, focusing on research data related to biomedical and robotics fields. This involved the use of advanced malware and exploitation of software vulnerabilities. [Read more](https://portswigger.net/daily-swig/who-is-behind-apt40-what-we-know-about-this-nation-state-cybercrime-group)
  * **Defense Contractors (2021):** Targeted defense contractors, stealing information related to military technologies. APT40 used spear-phishing and custom malware to gain access to sensitive defense-related data. [Read more](https://www.cfr.org/cyber-operations/apt40)

## **APT43**

* **Affiliation:** Chinese state-sponsored
* **Activities:** Known for cyber espionage and targeting NGOs, private companies, and government organizations. Often involved in operations aligned with China's geopolitical interests.
* **Targets:** NGOs, private companies, government organizations.
* **TTPs:**
  * **Spear-phishing:** [Spearphishing Attachment, Spearphishing Link, Spearphishing via Service](https://attack.mitre.org/techniques/T1566/)
  * **Use of RATs and backdoors:** [Remote Access Software](https://attack.mitre.org/techniques/T1219/)
  * **Credential theft:** [Credential Dumping](https://attack.mitre.org/techniques/T1003/)
  * **Network reconnaissance:** [Discovery](https://attack.mitre.org/tactics/TA0007/)
  * **Data exfiltration:** [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/)
* **Notable Incidents:**
  * **South Korean Government Hack (2018):** APT43 targeted the South Korean government, stealing sensitive political and military information. This operation involved sophisticated spear-phishing campaigns and the use of remote access tools to exfiltrate data. [Read more](https://www.fireeye.com/blog/threat-research/2018/11/apt38-unraveling-the-north-korean-lazurus-operations.html)
  * **South Korean Media Hack (2019):** Infiltrated South Korean media organizations, aiming to influence public opinion by spreading propaganda and misinformation. APT43 used spear-phishing and custom malware to gain access to media networks. [Read more](https://www.recordedfuture.com/north-korean-apt-group-kimsuky-targeting-south-korea/)
  * **South Korean Defense Contractors Hack (2020):** Targeted South Korean defense contractors to steal information related to military technologies. APT43 used advanced malware and network reconnaissance techniques to achieve their objectives. [Read more](https://www.cfr.org/cyber-operations/apt43)
  * **Operations in South China Sea (2020):** APT43 targeted entities in the South China Sea region to support China's geopolitical interests, focusing on maritime research and defense-related information. [Read more](https://www.cfr.org/cyber-operations/apt43)