Double dragon: apt41, a dual espionage and cyber crime operation

They hacked TeamViewer to hack others

The fact that APT41 had TeamViewer user logins and passwords was known for about a year thanks to a great report by FireEye. However, only the indictment shows the scale of the invasion in TeamViewer’s infrastructure. The company, referred to in the document as Electronic Service Provider # 1 (ECS # 1), was hacked at least in June 2015, and the criminals maintained their access at least until February 2017. In addition, they used the stolen access data for much longer. The burglars infected dozens of computers at the company that offers TeamViewer, stole the source code and certificates used to sign the application, and the login data of the company’s clients.

Breaking into TeamViewer was an inexhaustible source of further inspiration for hackers. The intercepted chats of criminals show how they searched the databases of listed companies, then determined their domain addresses and searched the TeamViewer database for logins in these domains to gain access to the targets of interest.

Indictment against Chinese hackers
https://www.justice.gov/opa/press-release/file/1317206/download

Great report from FireEye.
https://content.fireeye.com/apt-41/rpt-apt41/

A popular encrypted messenger used in 200 countries

Another, extremely interesting success is the entity called ECS # 11, described as a “telecommunications service provider operating in the US, Europe, Asia and elsewhere”, as well as “the creator and distributor of the popular encrypted communication platform”. Before we try to determine what the product is about, it is worth pointing out that the criminals had access to its infrastructure from March 2015 to at least January 2020. During these attacks, they not only gained access to the source code, but also to the data of millions of users of this messenger. According to the indictment, they conducted 4 million searches of personal data in the victim’s infrastructure.

What do we know about the attacked company? Let’s summarize:

in March 2015 it was a global, popular communicator, user accounts were linked to telephone numbers, in Russia, it had more than 700,000 users (because so many personal data were stolen),
in Burma, it had at least 268,000 users, over 100,000 users in Egypt, Vietnam, Algeria, the Philippines and Ukraine,
had users in 200 countries.

It is difficult to determine which application it may be referring to. Since the abolition of telegrams, the number of potential candidates has been too high.

:slight_smile:

3 Likes