Chinese state-sponsored threat group Winnti compromised at least 13 organizations globally in 2021, spanning across multiple sectors, cybersecurity firm Group-IB says.
Also referred to as APT41, Barium, Blackfly, Double Dragon, Wicked Panda, and Wicked Spider, the Winnti group has been active since at least 2007, engaging in both cyberespionage operations and financially motivated attacks.
In September 2020, the US Department of Justice announced charges against five Chinese nationals believed to be part of the Winnti group, who allegedly launched attacks against over 100 organizations in the US and abroad.
Despite the indictment and numerous public reports detailing the group’s activities, the hackers continued their operations. In March 2022, Mandiant detailed the hacking of at least six US state government organizations between May 2021 and February 2022.
In a new report, Group-IB provides a broader perspective on the group’s activities throughout 2021: the hackers compromised at least 13 organizations, often targeting SQL injection vulnerabilities in web applications, but deploying a custom Cobalt Strike Beacon in each case.
Targets included airlines, consulting, education, finance, government, hospitality, healthcare, logistics, manufacturing, media, software, sports, telecommunications, and travel organizations in Bangladesh, Brunei, China, India, Indonesia, Ireland, Hong Kong, Mongolia, Thailand, Taiwan, Vietnam, the US, and the UK.
As part of these attacks, the threat actor performed reconnaissance using tools such as vulnerability scanners (Acunetix, JexBoss), network scanners (Nmap), and brute-forcing utilities (OneForAll, Sqlmap, subdomain3, subDomainsBrute, and Sublist3r). They also used fofa.su, a Chinese equivalent of shodan.io, for gathering information on open ports and running services.
The attackers performed SQL injections against 43 web applications (out of 86 they probed) to access the command shell of the targeted servers and gain command execution capabilities. Task Scheduler and Windows services were used to achieve persistence.
Group-IB grouped the observed activity into four malicious campaigns, based on the domain names that were used in each of them: ColunmTK, DelayLinkTK, Gentle-Voice, and Mute-Pond.
As part of most of the observed campaigns, the attackers used a Windows utility called Ntdsutil to obtain the ntds.dit file, which stores Active Directory data, including user credentials. The hackers were also observed mapping the victim’s network and performing lateral movement.
After gaining access to server configurations, backup data, and user data, the cyberspies proceeded to exfiltrate information of interest, but Group-IB believes that they “did not exfiltrate a large amount of confidential documents.”