• APT41 – a dual espionage and cyber crime threat actor – is responsible for targeted operations against organizations in 15 jurisdictions, across multiple industries including healthcare, gaming, high-tech and the media.
FireEye, Inc., the intelligence-led security company, today released the details of its newly named Advanced Persistent Threat group – APT41. “APT41 is unique among the China-nexus actors we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain. They are as agile as they are skilled and well-resourced,” said Sandra Joyce, SVP of Global Threat Intelligence at FireEye. “Their aggressive and persistent operations for both espionage and cyber crime purposes distinguish APT41 from other adversaries and make them a major threat across multiple industries.”
APT41: A Double Threat, Worldwide
APT41 activity spans across 15 jurisdictions and more than seven years, targeting industries such as healthcare, high-tech, telecommunications, higher education, video gaming, travel, and even news organizations.
FireEye has observed individual members of APT41 conducting primarily financially motivated operations since 2012 before expanding into likely state-sponsored activity. Evidence suggests that these two motivations were balanced concurrently from 2014 onward. To date, organizations have been targeted in the following locations: France, India, Italy, Japan, Myanmar, the Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, the United Kingdom, the United States, and Hong Kong.
Tactics are shared between espionage and financial motivated operations:
- Espionage campaigns have targeted healthcare (medical devices and diagnostics), high-tech, and telecommunications with the purpose of collecting strategic intelligence, or as seen in the past, the theft of intellectual property.
- Financially motivated cyber crime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies, and ransomware deployment attempts.