• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

DOJ Charges Seven Individuals in Connection with Global Hacking Campaigns Against More Than 100 Companies

September 18, 2020 By Privacy, Cyber & Data Strategy Team

On September 16, 2020, the U.S. Department of Justice (DOJ) announced that seven individuals believed to be part of a hacking group known as APT41 or “Wicked Panda,” including five Chinese nationals and two Malaysian nationals, have been charged in connection with a global hacking campaign that affected more than 100 companies around the world. The charges were included in three separate indictments in August 2019 and August 2020. The DOJ also announced that the two Malaysian residents had been arrested in Sitiawan, Malaysia, pursuant to a provisional arrest request from the United States.

Below we highlight several key takeaways from this global hacking campaign and the recent DOJ announcements.

(1) Anyone can be a target.

The seven hackers are charged with carrying out computer intrusions against more than 100 victim companies in the U.S. and around the world, with the victims coming from a wide range of industries, including software development, manufacturing, telecommunications, social media companies, video games companies, non-profit organizations, universities, think tanks, foreign governments, and pro-democracy politicians and activists in Hong Kong. Reflecting the diverse victim profiles, the resulting theft involved varying types of information, including source code, software code signing certificates, customer account data, and valuable business information.

The attacks against the video game companies alone demonstrate the global nature of the hacking campaign. The victim companies were based in countries such as France, South Korea, Japan, Singapore, and the United States, and the attacks were allegedly carried out by two Chinese nationals with assistance from two Malaysian nationals, all of whom have been charged with crimes ranging from racketeering to false registration of domain names and violations of the Computer Fraud and Abuse Act (CFAA). The attacks resulted in the theft of digital goods (e.g., video game currency) relating to video games.

(2) A sophisticated attacker doesn’t always mean a sophisticated attack.

The hackers used a wide range of techniques, stemming from sophisticated and tailored attacks to more basic attacks that involved publicly available exploits and tools. Three of the attackers are alleged to have worked for the Chengdu 404 Network Technology Company, which is a Chinese company that publicly describes itself as a network security company composed of elite “white hat” hackers. As part of their alleged conspiracy, the individuals used sophisticated hacking methods such as supply chain attacks (including compromising a software provider’s systems and then modifying the provider’s code in order to gain access to the provider’s customers) and employing C2 “dead drops,” which are web pages that appear legitimate but which actually contain malware.

Not all attacks were quite as sophisticated, however. The indictments reveal that in 2019 and 2020, the hackers also conducted a large-scale campaign to quickly exploit publicly identified vulnerabilities in widely used networking products (such as routers and VPNS) to gain access to victim networks before companies were able to patch the vulnerabilities.

(3) The indictments provide an example of successful cooperation between international governments and the private sector in combatting cyber-crime.

Following the EU’s first cyber sanctions earlier this year, the indictments and subsequent arrest of two Malaysian individuals highlight growing international efforts to combat cyber-crime. As noted above, in August 2020, two Malaysian individuals were charged with conspiring with two Chinese hackers to attack video game companies around the world. According to the DOJ’s announcement, less than one month later, on September 14, 2020, Malaysian authorities arrested the two individuals pursuant to a provisional arrest request from the United States, with a view to their extradition.

The DOJ also announced that in September 2020, with the assistance of several private companies, the FBI executed seizure warrants issued by the U.S. District Court for the District of Columbia, allowing the FBI to seize “hundreds of accounts, servers, domain names, and command-and-control (C2) ‘dead drop’ web pages” used by the defendants to carry out hacking activities. The DOJ’s announcement specifically thanked Microsoft, Google, and Verizon Media for the assistance they provided in the investigation, including disabling numerous accounts for violations of the companies’ terms of service, and in the case of Microsoft, helping to develop technical measures to block threat actors from accessing victim systems.

 

Filed Under: China, Cybercrime, Digital Crimes, Enforcement, International Tagged With: APT41, China, dead drop, extradition, hacker, indictment, Malaysia, Microsoft, supply chain attack, Wicked Panda

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.