APT, Third-party risk

‘SolarWinds is just part of the story’: Winnti threat group abusing trust since 2009

U.S. President Joe Biden participates in a virtual meeting with Chinese President Xi Jinping at the Roosevelt Room of the White House November 15, 2021 in Washington, DC. Cybercrime group Winnti is affiliated with the Chinese government, but they are not necessarily their full-time employees. (Photo by Alex Wong/Getty Images)

December will mark the one-year anniversary of Solorigate, when believed-Russian espionage groups leveraged SolarWinds updates and other product's vulnerabilities for a massive operation. It was the first time most executives seriously considered software as a supply chain. But it wasn't the first time attackers used the trust enterprises and individuals put in the developer's own network security.

"SolarWinds is just a part of the story. It wasn't the start of the story," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

Venafi released a white paper Thursday compiling more than a decade of research across numerous vendors on Winnti (also called APT41), an enigmatic threat group that has been abusing that trust since 2009.

Winnti has long fascinated researchers as an early example of hackers leveraged for nation-state espionage who also freelanced in cybercrime. They are affiliated with the Chinese government, but they are not necessarily their full-time employees. Winnti's oldest modus operandi was to steal code-signing certificates from software developers to make malware appear legitimate to antivirus programs and operating systems. More recently, they have also directly injected code into software during the production stage, including CCleaner in 2017 and ASUS LiveUpdate in 2019.

Winnti's use of code-signing attacks in 2009 would mean they began using the tactic just months before the most famous use of code signing — Stuxnet, which while ongoing in 2009 was not publicly documented until 2010.

"As all things go, weapons get passed down from the most sophisticated inventors. APT41 is the notch down from the most creative nation-state groups. But they learned from Stuxnet how effective what were effectively supply chain attacks could be," said Bocek.

One key lesson, said Bocek, is that last year's hottest nation-state attack vector will be coopted by criminals pretty soon after — criminals are aware of their peers' successes and of nations' successes.

Another key lesson from Winnti, he said, is that even lower-tier players have spent a decade finding ways to use the softest targets to breach more hardened ones. Throughout their run, Winnti has stolen code-signing credentials from gaming companies — who are often smaller, growth-focused, more-gas-than-breaks-type firms. Increasingly, that's a description that could apply to every company, as all companies of all stripes develop software.

The number of soft targets is exploding.

The United States has indicted seven Chinese nationals as members of the Winnti group.

"Attackers have always loved the soft points," said Bocek. "We've got some work to do to catch up"

prestitial ad