Since June 1^st 2024, Chinese frontline threat actor APT 41 has been linked to as many as 63 events globally. These include attacks on Taiwanese research agencies in August and attacks on the shipping and logistics, utilities, media and entertainment, technology, and automobile sectors in countries such as Taiwan, Thailand, Italy, UAE, Spain, the United Kingdom, and Turkey in July.

The group is known to have successfully penetrated networks connected with critical infrastructure in as many as 29 countries as of this year.

The group has registered a whopping 900 percent rise in its presence this year as measured by the IOCs recovered from various events analyzed by Sectrio’s Threat Research team.  

So why has APT 41 turned hyperactive in 2024 and what does this mean for critical infrastructure operators around the world? Let’s find out.

Background of APT 41

APT 41 has been a group reserved for carrying out the most sophisticated attacks on few of China’s chosen geo-political rivals. Hitherto, this group had a mandate covering the G7 countries, India, South Korea, Taiwan and Vietnam. As things stand, APT 41 is assigned the best talent, weapons, and exploits to work with, thanks to its ranking by the Chinese Ministry of State Security as a frontline cyber intelligence gathering entity.

Read now: The Complete Guide to OT SOC

Periodically, the group is split for administrative (and/or project) reasons. The splinter groups are assigned strategic targets to pursue only to be merged with APT 41 once the target data is acquired or the project closed.

It is believed that APT 41 also covers several shadow groups working under the direct tutelage of senior members such as Dalin Tan and Qian Chuan. Such groups do not have any direct affiliation with the MSS and their operations are channeled through APT 41 and they may even be on the direct payroll of APT 41.

[You can read more about APT 41 in our comprehensive intelligence note on this threat actor presented in our Threat Landscape Report 2024]

As per Sectrio’s Threat Research Team, APT 41 also runs an intelligence crunching operation that churns out intelligence of very high quality that is shared directly with the CCP leadership.

This intel is also used to shape the geopolitical responses of China in addition to being used to shape specific long-term military and diplomatic interventions as well. The strategic importance of the intelligence gathered by APT 41 and recent moves by many APT 41 target countries offers a clue on why APT 41 is in such a hurry to target multiple critical infrastructure operators.

We will get there in a minute but before that, it is important to understand what has changed in the last few months.

Rising legislative attention on critical infrastructure security        

In the last few months, many countries have enacted legislation on Industrial Control System/OT cybersecurity. These legislations mandate cyber risk and gap assessment, deployment of OT Security Operations Center (SOC), better reporting and asset visibility and enhanced monitoring of OT/ICS networks.

There is increased scrutiny on critical infrastructure operators and regulatory bodies are also conducting surprise checks on various entities to check their preparedness levels to deal with cyber risks and threats. Penalties are in order as well.

Many critical infrastructure entities are also conducting security acceptance tests on systems and assets to ensure they are free of backdoors and that they do not leak any data or have security issues that could compromise the device or networks connected to it.

 This coupled with regular IEC 62443-based risk and gap assessments is helping critical infrastructure operators scale their security posture and bring it closer to the levels of risks these entities are exposed to.

So how does this impact APT 41 and its operations you may ask?

The answer is simple. With security measures intensifying, the MSS understands that its window of opportunity for exfiltrating data and maintaining a menacing presence through APT 41 will diminish considerably in the days to come.

There is certainly a growing realization among the bosses at APT 41 that they need to hurry up. This hurry has led to APT 41 and its sister actors

• shrinking their malware development and release cycles   
• launching revenue-gathering operators (AKA finally motivated crimes)
• launching more campaigns across targets of primary and secondary interest within a short period of time

The sense of urgency has also led to errors across geos revealing its modus operandi as well as the measures it is using to breach networks and maintain surveillance.

APT 41’s attempts to plant reconware have been exposed in multiple instances including two times in the recent past when APT actors tried to engage a decoy infra in an apparent surveillance bid.

What the future holds for APT 41?

It is too early to say but one can assert arguably that APT 41 will continue to evolve its tactics and tools in the future with more funding and talent. This is something that won’t change in the days to come and APT 41 may even reduce or increase the targets in its crosshairs depending on the mandate given by the MSS.

APT 41 is an evolved threat actor and if its past track record is anything to go by, we may very well be witnessing a new phase in its evolution. It also serves as a test bed for new and emerging threat actors to test new breach tactics as well.

MSS may even reconfigure the group by adding newer players to keep the group going.

Talk to us to learn how your crown jewels and assets can be protected through a custom-built ICS security plan. Contact us now!

Learn more about an IEC 62443-base cyber threat and risk assessment for your infrastructure.

Book a free consultation with our Industrial Control System security expert to learn about the latest cyber risk minimization strategies and models.

Book a consultation with our ICS security experts now. Contact Us

 Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

*** This is a Security Bloggers Network syndicated blog from Sectrio authored by Prayukth K V. Read the original post at: https://sectrio.com/blog/why-is-chinese-threat-actor-apt-41-in-a-hurry/