APT41 – A spy who steals or a thief who spies

APT41 – The Spy Who Encrypted Me.

This case study is based on our most recent investigation into one of APT41’s operations against a major global nonprofit organization. Our client contacted us at the end of March 2020 after discovering the ransom notes…

LIFARS evidence from forensic investigation was used in criminal indictment:

When a nation-state actor becomes a cybercriminal (and vice-versa).

This could be the beginning of an action or a cloak-and-dagger movie. It is unfortunately the actor we faced in some of our recent cases: APT41 is a threat actor that seems to be both nation-state and cybercriminal, engaging in espionage or industrial espionage and also in extortion by using ransomware attacks.
As cybersecurity specialists, finding that an attack we are investigating ties to an APT group is always a major indication: given the resources nation-states can put in these groups, anything and everything is possible.
Since the end of March 2020, we have encountered cases that bear the hallmarks of such actors. More specifically, of a threat actor that behaves from time to time as a nation-state and from time to time as a cybercriminal.APT41 – A spy who steals or a thief who spies

An advanced persistent threat (APT) is, typically, either a nation-state actor and aims at benefiting its state through sabotage, espionage, or industrial espionage; or a cybercriminal and its aims are to steal money through theft, fraud, ransom or blackmail.

One of such “dual faced” groups is the Chinese-based group APT41: known for both financially-motivated and state-sponsored campaigns, its origins date back to as early as 2012, when it targeted the video game industry. Its most famous action was to steal digital certificates from compromised victims, certificates that were then used to sign and implant malware on victims’ networks later leveraged to run state-sponsored campaigns.
Our recent cases have put us against this threat actor.
The present Case Study shows some of the highlights of our first investigation in which APT41’s involvement was impossible to deny. The Case Study also provides the indicators of compromise (IOC) we gathered in the process.

Download “The Spy Who Encrypted Me” Case Study


More cyber indictments cases where arrest warrants have already been issued:



Does Your Company Have a Data Breach Plan?
Learn why it is so important to safeguard your customer data and protect your brand.