A research firm has identified groups associated with Chinese state intelligence as the malicious actors behind a long-running and previously unreported operation by the Winnti umbrella group.
401TRG, the research arm of ProtectWise, has reported it has connected Winnti, which it considers to be an entity consisting of several teams and actors whose tactics, techniques, and procedures align, and whose infrastructure and operations overlap with each other an overarching organisation. The work is being done by separate teams of contractors outside the Chinese government all working toward the same goal, which has been set most likely by the Chinese government.
“We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus. This assessment is based on attacker TTPs, observed attack infrastructure, and links to previously published intelligence,” the report said.
Interestingly, 401TRG noted that while Winnti's more public attacks against gaming and tech companies appear to be economically motivated, the hackers are actually playing a long-game that has a political objective.
Initial target ingress is through phishing attacks after which the hackers inject either its own malware or a publicly available tool such as Metasploit or Cobalt Strike. To remain hidden Winnti tries to use the victim's own software products, its approved remote access systems, or system administration tools for spreading and maintaining access to the network.
The various groups operating under the Winnti umbrella have hit a variety of targets, primarily in the United States, Japan, South Korea and China. Although, as mentioned, the initial strikes tend to be against corporations these are done where they primarily seek code signing certificates and software manipulation.
However, there are other attacks 410TRG was able to attribute to Winnti with a definite political angle, these being against Tibetan and Chinese journalists, Uyghur and Tibetan activists and the government of Thailand.
Winnti has been operating since at least 2009 and possibly even a year earlier, 401TGR said, adding that one reason the group could be identified and tracked is due to the operational mistakes it has made. However, despite these errors, the group is considered a highly dangerous threat, said 401TGR.