Double Dragon (hacking group)

In their earlier activities, APT 41 has used domains registered to the monikers "Zhang Xuguang" (simplified Chinese: 张旭光) and "Wolfzhi". These online personas are associated with APT 41's operations and specific online Chinese language forums, although the number of other individuals working for the group is unknown. The persona has also posted on a forum regarding the Age of Wushu online game, using the moniker "injuriesa" in 2011. These actions were conducted on high-tech companies, video-game companies and six unnamed individuals from the United States and the United Kingdom while the two worked together. The FBI also charged Qian, Fu, and Jiang on August 11, 2020, for racketeering, money laundering, fraud, and identity theft. Such operations were to occur in countries like the United States, Brazil, Germany, India, Japan, Sweden, Indonesia, Malaysia, Pakistan, Singapore, South Korea, Taiwan, and Thailand. These schemes, particularly a series of computer intrusions involving gaming industries, were conducted under the Malaysian company Sea Gamer Mall, which was founded by Wong. On September 14, 2020, Malaysian authorities arrested both individuals in Sitawan. == Ties with the Chinese government ==

APT 41's operations are described as "moonlighting" due to their balance of espionage supported by the Chinese state and financially motivated activities outside of state authorization in their downtime. As such, it is harder to ascertain whether particular incidents are state-directed or not. The organization has conducted multiple operations against 14 countries, most notably the United States. Such activities include incidents of tracking, the compromising of business supply chains, and collecting surveillance data. In 2022, APT 41 was linked to theft of at least $20 million in COVID-19 relief aid in the U.S. APT 41 uses cyber-espionage malware typically kept exclusive to the Chinese government. This characteristic is common for other advanced persistent threats, as this allows them to derive information to spy on high-profile targets or make contact with them to gain information that benefits national interest. APT 41 relation to the Chinese state can be evidenced by the fact that none of this information is on the dark web and may be obtained by the CCP. APT 41 targeting is consistent with the Chinese government's national plans to move into high research and development fields and increase production capabilities. Such initiatives coincide with the Chinese government's "Made in China 2025" plan, aiming to move Chinese production into high-value fields such as pharmacy, semi-conductors, and other high-tech sectors. FireEye has also evaluated with moderate confidence that APT 41 may engage in contract work associated with the Chinese government. Identified personas associated with the group have previously advertised their skills as hackers for hire. Their usage of HOMEUNIX and PHOTO in their personal and financially motivated operations, which are malware inaccessible to the public used by other state-sponsored espionage actors also evidences this stance. The FireEye report also noted that the Chinese state has depended on contractors to assist with other state operations focused on cyber-espionage, as demonstrated by prior Chinese advanced persistent threats like APT 10. APT 41 is viewed by some as potentially made up of skilled Chinese citizens, who are used and employed by the Chinese government, leading to the assumptions that members of the group often work two jobs, which is supported by their operating hours. == Techniques ==

The operating techniques of APT 41 are distinct, particularly in their usage of passive backdoors compared to traditional ones. While traditional backdoors used by other advanced persistent threats are easily detectable, this technique is often much harder to identify. Sophisticated malware is often deployed as well to remain undetected while extracting data. Recent research highlights Double Dragon's (APT41) use of modified TLS certificates, particularly wolfSSL, to mask their command-and-control (C2) infrastructure. By customizing fields to generate unique JA4X fingerprints, they evade detection while advancing their cyber espionage tactics. Spear-phishing emails are regularly used by APT 41 across both cyber espionage and financial attacks. Targets have varied from media groups for espionage activities to bitcoin exchanges for financial gain. == Activities ==

Espionage activity APT 41's targeting is deemed by FireEye to correlate with China's national strategies and goals, particularly those regarding technology. The targeting of tech firms aligns with Chinese interest in developing high-tech instruments domestically, as demonstrated by the 12th and 13th Five-Year Plans. They have also been discovered in several different industries, including healthcare, telecommunications, and technology. In 2021, APT 41 launched several phishing scams in India that were found by the BlackBerry Research and Intelligence. They also stole data relating to new tax legislation and COVID-19 records and statistics. The group masked their identity as the Indian government so that they would remain undetected. Financially motivated activities APT 41 has targeted the video-game industry for the majority of its activity focused on financial gain. Through the application of over 19 different digital certificates, they target both gaming and non-gaming organizations to avoid detection and ensure compatibility with the systems of the target. == U.S. Department of Justice ==

On September 16, 2020, the United States Department of Justice released previously sealed charges against 5 Chinese and 2 Malaysian citizens for hacking more than 100 companies across the world. These include firms involved in social-media, universities, telecommunications providers, software development, computer hardware, video-games, non-profit organizations, think tanks, foreign governments, and pro-democracy supporters in Hong Kong. The attacks were said to have involved the theft of code, code signing certificates, customer data and business information. Two of the Chinese hackers also conducted attacks on the US gaming industry, which involved at least 6 companies in New York, Texas, Washington, Illinois, California, and the United Kingdom. Contrastingly, Rosen criticized the Chinese Communist Party in their inaction when it came to assisting the FBI for the arrest of the 5 Chinese hackers associated with APT 41. == Links with other groups ==

APT 41 has overlaps in activity with public reporting on other groups such as Barium and Winnti. == See also ==