Hacker Group APT41 Targets Gambling Industry for Financial Gain

The popular Chinese state-sponsored hacking group APT41 has been linked to a complex cyber attack targeting the gambling and gaming industry.

The group, also known as also known as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti, allegedly infiltrated one of cybersecurity firm Security Joes’ clients and continued to maintain persistent access for nearly nine months.

According to Ido Naor, the Israeli company’s co-founder and chief executive officer, over at least half a year, “the attackers stealthily gathered valuable information from the targeted company, including network configurations, user passwords, and secrets from the LSASS process.” 

In the same statement that Naor shared with The Hacker News, the group which, according to the FBI, consists of members Zhang Haoran, Tan Dailin, Qian Chuan, Fu Qiang, and Jiang Lizhi, continuously adapted their toolset in response to the security team’s actions, modifying their strategies to avoid detection.

Financial Gain as Main Objective

The multi-stage attack, which overlaps with an intrusion set tracked by cybersecurity vendor Sophos as Operation Crimson Palace, highlights APT41’s ability to conduct both espionage and financially motivated attacks. 

Security Joes suspects with high confidence that APT41’s objective in this instance was financial gain, a hallmark of their methodical and highly skilled approach.

The attackers used a custom toolset to evade the installed security software and create covert channels for persistent remote access. 

Though the exact entry point remains unclear, it is suspected that spear-phishing emails were used, given the absence of vulnerabilities in the targeted system’s web applications.

Once inside the network, the attackers performed a DCSync attack to harvest password hashes of service and admin accounts, thus gaining broader access to the infrastructure. 

They primarily targeted administrative and developer accounts, executing reconnaissance and post-exploitation activities while frequently adjusting their tactics in response to the defenders’ countermeasures. 

The goal was to escalate privileges, download, and execute additional malicious payloads.

According to the targeted Israeli security company, while the group temporarily ceased activity after detection, they later returned with a modified attack.

Complex Attacks in Several Industries 

As per data from the FBI, in the last few years, the group allegedly “conducted supply chain attacks to gain unauthorized access to networks throughout the world,” targeting hundreds of companies belonging to a wide array of industries including telecommunications, social media, government, defense, education, and manufacturing in the US, Australia, China (Tibet), Chile, India, Indonesia, Malaysia, Pakistan, Singapore, South Korea, Taiwan, and Thailand. 

They also reportedly “deployed ransomware attacks and demanded payments from victims.” 

According to the targeted Israeli security company, while the group temporarily ceased activity after detection, they later returned with a modified attack.

Cyberattacks are frequent occurrences in the gambling world. At the end of June, we reported on Olympia Gaming, a northern Nevada casino operator that became the victim of a cyberattack. 

Last month, Riverside Resort & Casino in Laughlin, Nevada, was also the victim of a cyberattack that involved a data breach that compromised the confidential information of thousands of casino players.