Chinese hacker group APT41 targeting Indian citizens with phishing attacks, credential stealers

Security researchers have discovered a Chinese cyber espionage group, called APT41, who are targeting victims in India. Researchers from the BlackBerry Research and Intelligence team found three phishing lures targeting victims in India, which contained information about new tax legislation and covid-19 statistics. “These messages masqueraded as being from Indian government entities,” the company said in a statement.

“The phishing lures and attachments also fit tactics that were previously used in infection vectors by APT41. These findings show that the APT41 group is still regularly conducting new campaigns, and that they will likely continue to do so in the future,” it added.

Further, the report noted that APT41 is a “prolific Chinese state-sponsored cyberthreat group”, which has been involved in espionage and “financially motivated criminal activity” since 2012. “This threat group has targeted organizations around the world, in verticals such as travel, telecommunications, healthcare, news and education,” BlackBerry Research said. 

It is known to use phishing emails to gain access to victims, followed by malware like keyloggers, backdoors and credential stealers.

The US government filed charges in 2020 against five APT41 members for hacking into more than 100 companies across the world. The officials said APT41 members managed to compromise foreign government computer networks in India and Vietnam, as well as pro-democracy politicians and activists in Hong Kong. 

ATP41's operations were first detailed in a report published in August 2019 by cybersecurity firm FireEye, which linked the group to some of the biggest supply-chain attacks in recent years. The group uses publicly available profiles designed to look like legitimate network traffic from Amazon, Gmail, OneDrive and others.

BlackBerry found connections between this campaign and others published by FireEye in 2020, as well as Prevailion, Subex and PTSecurity.

"The image we uncovered was that of a state-sponsored campaign that plays on people's hopes for a swift end to the pandemic as a lure to entrap its victims. And once on a user's machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic," the team said in its report.