• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

DOJ Charges Seven Individuals in Connection with Global Hacking Campaigns Against More Than 100 Companies

September 18, 2020 By Emily Poole

On September 16, 2020, the U.S. Department of Justice (DOJ) announced that seven individuals believed to be part of a hacking group known as APT41 or “Wicked Panda,” including five Chinese nationals and two Malaysian nationals, have been charged in connection with a global hacking campaign that affected more than 100 companies around the world. The charges were included in three separate indictments in August 2019 and August 2020. The DOJ also announced that the two Malaysian residents had been arrested in Sitiawan, Malaysia, pursuant to a provisional arrest request from the United States.

Below we highlight several key takeaways from this global hacking campaign and the recent DOJ announcements.

(1) Anyone can be a target.

The seven hackers are charged with carrying out computer intrusions against more than 100 victim companies in the U.S. and around the world, with the victims coming from a wide range of industries, including software development, manufacturing, telecommunications, social media companies, video games companies, non-profit organizations, universities, think tanks, foreign governments, and pro-democracy politicians and activists in Hong Kong. Reflecting the diverse victim profiles, the resulting theft involved varying types of information, including source code, software code signing certificates, customer account data, and valuable business information.

The attacks against the video game companies alone demonstrate the global nature of the hacking campaign. The victim companies were based in countries such as France, South Korea, Japan, Singapore, and the United States, and the attacks were allegedly carried out by two Chinese nationals with assistance from two Malaysian nationals, all of whom have been charged with crimes ranging from racketeering to false registration of domain names and violations of the Computer Fraud and Abuse Act (CFAA). The attacks resulted in the theft of digital goods (e.g., video game currency) relating to video games.

(2) A sophisticated attacker doesn’t always mean a sophisticated attack.

The hackers used a wide range of techniques, stemming from sophisticated and tailored attacks to more basic attacks that involved publicly available exploits and tools. Three of the attackers are alleged to have worked for the Chengdu 404 Network Technology Company, which is a Chinese company that publicly describes itself as a network security company composed of elite “white hat” hackers. As part of their alleged conspiracy, the individuals used sophisticated hacking methods such as supply chain attacks (including compromising a software provider’s systems and then modifying the provider’s code in order to gain access to the provider’s customers) and employing C2 “dead drops,” which are web pages that appear legitimate but which actually contain malware.

Not all attacks were quite as sophisticated, however. The indictments reveal that in 2019 and 2020, the hackers also conducted a large-scale campaign to quickly exploit publicly identified vulnerabilities in widely used networking products (such as routers and VPNS) to gain access to victim networks before companies were able to patch the vulnerabilities.

(3) The indictments provide an example of successful cooperation between international governments and the private sector in combatting cyber-crime.

Following the EU’s first cyber sanctions earlier this year, the indictments and subsequent arrest of two Malaysian individuals highlight growing international efforts to combat cyber-crime. As noted above, in August 2020, two Malaysian individuals were charged with conspiring with two Chinese hackers to attack video game companies around the world. According to the DOJ’s announcement, less than one month later, on September 14, 2020, Malaysian authorities arrested the two individuals pursuant to a provisional arrest request from the United States, with a view to their extradition.

The DOJ also announced that in September 2020, with the assistance of several private companies, the FBI executed seizure warrants issued by the U.S. District Court for the District of Columbia, allowing the FBI to seize “hundreds of accounts, servers, domain names, and command-and-control (C2) ‘dead drop’ web pages” used by the defendants to carry out hacking activities. The DOJ’s announcement specifically thanked Microsoft, Google, and Verizon Media for the assistance they provided in the investigation, including disabling numerous accounts for violations of the companies’ terms of service, and in the case of Microsoft, helping to develop technical measures to block threat actors from accessing victim systems.

 

Filed Under: China, Cybercrime, Digital Crimes, Enforcement, International Tagged With: APT41, China, dead drop, extradition, hacker, indictment, Malaysia, Microsoft, supply chain attack, Wicked Panda

About Emily Poole

Emily Poole is an associate on Alston & Bird’s Privacy & Data Security and Cybersecurity Preparedness & Response teams. She focuses her practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • New Law Requires HHS to Consider Recognized Security Practices as Mitigating Factor When Determining Penalties
  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy