Content

Winnti cyber espionage group likely associated with Chinese state intelligence orgs

A research firm has fingered groups associated with Chinese state intelligence as the malicious actors behind a long-running and previously unreported operation by the Winnti umbrella group. 401TRG, the research arm of ProtectWise, has reported it has connected Winnti, which it considers to be an entity consisting of several teams and actors whose tactics, techniques, and procedures align, and whose infrastructure and operations overlap with each other an overarching organization. The work is being done by separate teams of contractors outside the Chinese government all working toward the same goal, which has been set most likely by the Chinese government. “We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus. This assessment is based on attacker TTPs, observed attack infrastructure, and links to previously published intelligence,” the report said. Interestingly, 401TRG noted that while Winnti's more public attacks against gaming and tech companies appear to be economically motivated, the hackers are actually playing a long-game that has a political objective. Initial target ingress is through phishing attacks after which the hackers inject either its own malware or a publicly available tool such as Metasploit or Cobalt Strike. In order to remain hidden Winnti tries to use the victim's own software products, its approved remote access systems, or system administration tools for spreading and maintaining access to the network. The various groups operating under the Winnti umbrella have hit a variety of targets, primarily in the United States, Japan, South Korea and China. Although, as mentioned, the initial strikes tend to be against corporations these are done where they primarily seek code signing certificates and software manipulation. However, there are other attacks 410TRG was able to attribute to Winnti with a definite political angle, these being against Tibetan and Chinese journalists, Uyghur and Tibetan activists and the government of Thailand. Winnti has been operating since at least 2009 and possibly even a year earlier, 401TGR said, adding that one reason the group could be identified and tracked is due to the operational mistakes it has made. However, despite these errors, the group is considered a highly dangerous threat, said 401TGR.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.