The advanced persistent threat (APT) group known as APT41 has employed an open-source, red-teaming tool, Google Command and Control (GC2), in cyber espionage attacks, marking a shift in its tactics. According to Google's Threat Analysis Group (TAG) team, the APT41 group, also known as HOODOO, Winnti, and Bronze Atlas, recently targeted a Taiwanese media organization with phishing emails containing links to a password-protected file hosted on Google Drive. When the file was opened, it fetched the GC2 payload. As detailed in the TAG April Threat Horizons report, this tool receives its commands from Google Sheets, likely to conceal the malicious activity, and exfiltrates data to Google Drive. The GC2 tool also allows the attacker to download additional files from Drive onto the victim's system. APT41 had previously used GC2 in July to target an Italian job search website, according to TAG.
TAG researchers observed that incidents like this highlight several trends by China-affiliated threat actors, such as using publicly available tooling, the proliferation of tools written in the Go programming language, and the targeting of Taiwanese media. Chinese APT groups have increasingly used publicly available (and legitimate) tools like Cobalt Strike and other penetration testing software, which can be found on sites like GitHub; there has also been a shift to using lesser-known red teaming tools like Brute Ratel and Sliver to evade detection during their attacks. The use of such "living off the land" tactics is well known among financially motivated cyberattackers, but less so among APTs that are better resourced and can develop custom tools. Christopher Porter, head of threat intelligence for Google Cloud, said in the report, "it is only prudent to consider that state-sponsored cyber threat actors may steal from the playbooks of cybercriminals to target such systems."
Porter also highlighted the use of cloud services for stealth and legitimacy: "A familiar domain name disarms many of the natural defenses we all have when viewing a suspicious email, and the degree to which it is trusted will often be hard coded into security systems screening for spam or malware." He added, "Cloud providers are useful targets for these kinds of operations, either as hosts for malware or providing the infrastructure for command-and-control." The group's activities illustrate the "continued overlap of public sector threat actors targeting private sector organizations with limited government ties," according to the TAG analysis.
Last year, the same group was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong, as well as targeting multiple US government agencies using the Log4j vulnerability. Bronze Atlas is "one of the most prolific groups we have been tracking for a long time," says Marc Burnard, senior security researcher for Secureworks' Counter Threat Unit, having tracked it since at least 2007. During that time, the group "has been very prolific," he says. Burnard says APT41 has targeted a range of sectors, including government, healthcare, high-tech manufacturing, telcos, aviation, non-governmental organizations (NGOs), and targets in line with China's political and economic interests. "They are primarily focused on stealing intellectual property, and they have also been involved in targeting political intelligence as well," he notes.
Asked why this particular Taiwanese media company would be targeted, Burnard admits there could be several reasons, including the China-Taiwan political situation, a goal of using the victim to target other organizations and individuals, or there could be a "destructive element" too. As mentioned, the TAG report found that the attackers sent phishing emails to the victim containing links to legitimate cloud services in order to avoid detection — links to a trusted cloud service don't set off email filters. Burnard points out that this is part of a style change for the group, as up until the last few years it was quite noisy in its attacks, and not too worried about the activity being detected. However, since the 2020 indictment of seven alleged cybercriminals, which reportedly included members of APT41, the activity has been more stealthy and Burnard says the APT is now moving towards using legitimate tools like Cobalt Strike, and towards cloud services, to hide their intent and activity.