At least 80 businesses were targeted by the Chinese Winnti hacking group, also known as “APT41” or “Wicked Spider,” last year, and at least thirteen of those networks were successfully compromised. Researchers at Group-IB have been keeping an eye on Wintti’s activity, and they believe 2021 will be one of the most “intense” years for Chinese hackers. Winnti specifically targeted American software development and hospitality businesses, an aviation company in India, as well as media, manufacturing, and governmental organizations in Taiwan, as well as software vendors in China, according to the experts.
In order to accomplish their objectives, Winnti also breached Thai military portals, academic websites in the UK, Ireland, and Hong Kong, as well as a number of government websites in India. In the course of these campaigns, Winnti used a variety of destructive tactics, including phishing, watering holes, supply chain intrusions, and several SQL injections. To find vulnerabilities in targeted networks or to spread laterally within them, threat actors integrated general-purpose and specialized tools, such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subdomain brute, Sublist3r, and the “venerable” Cobalt Strike.
Group IB may guess the geographical location of the hackers based on their working hours, which typically follow a defined schedule, as a consequence of its comprehensive monitoring of the threat group’s activity.
The team starts working at 9:00 AM and ends around 7:00 PM in the UTC+8 time zone. In order to execute operations against targets in China, Malaysia, Singapore, Russia, Australia, and Malaysia in real-time, the hacker group is currently in a strong position. However, some activity was observed on Sundays, suggesting that Winnti may have been working on activities that understaffed IT professionals are unlikely to detect. Winnti spent relatively little time on the weekends.
