Actor: Winnti Group, Blackfly, Wicked Panda

Names: Winnti Group, Blackfly, Wicked Panda

Country: China

Sponsor: State-sponsored

Motivation: Information theft and espionage

First-seen: 2010

Description: Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including {{APT 41}}, {{Axiom, Group 72}}, {{APT 17, Deputy Dog, Elderwood, Sneaky Panda}}, and {{Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon}}, are closely linked to or overlap with Winnti Group. (Trend Micro) The group behind the Winnti malware (which we will call the Winnti group for brevity) sprung up as a band of traditional cyber crooks, comprising black hats whose technical skills were employed to perpetrate financial fraud. Based on the use of domain names they registered, the group started out in the business of fake/rogue anti-virus products in 2007. In 2009, the Winnti group shifted to targeting gaming companies in South Korea using a self-named data- and file-stealing malware. The group, which was primarily motivated by profit, is noted for utilizing self-developed technically-proficient tools for their attacks. They once attacked a game server to illicitly farm in-game currency (“gaming gold”, which also has real-world value) and stole source codes of online game projects. The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier. The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications. The group has since earned infamy for being involved in malicious activities associated with targeted attacks, such as deploying spear-phishing campaigns and building a backdoor.

Observed-sectors: Online video game companies

Observed-sectors: Aviation

Observed-sectors: Defense

Observed-sectors: Education

Observed-sectors: Financial

Observed-sectors: Government

Observed-sectors: Healthcare

Observed-sectors: Pharmaceutical

Observed-sectors: Technology

Observed-sectors: Telecommunications

Observed-countries: Belarus

Observed-countries: Brazil

Observed-countries: China

Observed-countries: Germany

Observed-countries: India

Observed-countries: Indonesia

Observed-countries: Japan

Observed-countries: Peru

Observed-countries: Philippines

Observed-countries: Russia

Observed-countries: South Korea

Observed-countries: Taiwan

Observed-countries: Thailand

Observed-countries: USA

Observed-countries: Vietnam

Tools: Cobalt Strike

Tools: FunnySwitch

Tools: Winnti

Operations: 2010

Operations: HBGary investigated an information security incident at an American video game company.

Operations: 2011

Operations: In the autumn of 2011, a Trojan was detected on a huge number of computers – all of them linked by the fact that they were used by players of a popular online game. It emerged that the piece of malware landed on users’ computers as part of a regular update from the game’s official update server. Some even suspected that the publisher itself was spying on players. However, it later became clear that the malicious program ended up on the users’ computers by mistake: the cybercriminals were in fact targeting the companies that develop and release computer games. https://securelist.com/winnti-more-than-just-a-game/37029/

Operations: 2011

Operations: For example, by 2011, one of their victims was Gameforge, a company that offers so-called freemium games: while playing the games is free, it is possible to buy virtual items/money with real money.The Winnti hackers were able to directly access Gameforge’s databases and modify accounts to become ‘virtually’ richer. https://media.cert.europa.eu/static/MEMO/2019/TLP-WHITE-CERT-EU-MEMO-190725-1.pdf

Operations: 2014 Summer

Operations: The Winnti hackers broke into Henkel’s network in 2014. We have three files showing that this happened. https://web.br.de/interaktiv/winnti/english/

Operations: 2014-08

Operations: This time the operators put such tag in the configuration and it turned out to be the name of the well-known global pharmaceutical company headquartered in Europe. https://securelist.com/games-are-over/70991/

Operations: 2015

Operations: The hackers behind Winnti have also set their sights on Japan’s biggest chemical company, Shin-Etsu Chemical. We have in our hands several varieties of the 2015 malware which was most likely used for the attack. https://web.br.de/interaktiv/winnti/english/

Operations: 2015-07

Operations: A BASF spokeswoman tells us in an email that in July 2015, hackers had successfully overcome “the first levels” of defense. https://web.br.de/interaktiv/winnti/english/

Operations: 2015-10

Operations: Breach of a Vietnamese gaming company https://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html During the investigation, a Linux version of Winnti was found. https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

Operations: 2016-02

Operations: Breach of German Steelmaker ThyssenKrupp https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341

Operations: 2016-06

Operations: According to Siemens, they were penetrated by the hackers in June 2016. https://web.br.de/interaktiv/winnti/english/

Operations: 2016 Summer

Operations: In the case of another Japanese company, Sumitomo Electric, Winnti apparently penetrated their networks during the summer of 2016. https://web.br.de/interaktiv/winnti/english/

Operations: 2017-03

Operations: Recently, the Winnti group, a threat actor with a past of traditional cybercrime –particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control (C&C) communications of their seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM). https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/

Operations: 2018-04

Operations: Breach of German chemicals giant Bayer https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004

Operations: 2018-11

Operations: Breach of Swiss drug maker Roche https://www.reuters.com/article/us-germany-cyber/basf-siemens-henkel-roche-target-of-cyber-attacks-idUSKCN1UJ147

Operations: 2019 Early

Operations: Covestro is regarded as Germany’s most successful spin-off in the recent past. Up until June 2019, they had at least two systems on which the Winnti malware had been installed. https://web.br.de/interaktiv/winnti/english/

Operations: 2019 Early

Operations: Another manufacturer of adhesives, Bostik of France, was infected with Winnti in early 2019. https://web.br.de/interaktiv/winnti/english/

Operations: 2019

Operations: Lion Air, Marriott and Valve declined to comment or were not immediately available for comment https://www.reuters.com/article/us-germany-cyber/basf-siemens-henkel-roche-target-of-cyber-attacks-idUSKCN1UJ147

Operations: 2019 Late

Operations: Breach of German chemicals company Lanxess https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html

Operations: 2020-02

Operations: Based on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to target Gravity Co., Ltd., a South Korean video game company. The company is known for its Massive Multiplayer Online Role Playing Game (MMORPG) Ragnarok Online, which is also offered as a mobile application. https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/

Operations: 2021-03

Operations: Exchange servers under siege from at least 10 APT groups https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

Information: https://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/

Information: https://securelist.com/winnti-more-than-just-a-game/37029/

Information: https://401trg.com/burning-umbrella/

Information: https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf

Mitre-attack: https://attack.mitre.org/groups/G0044/

Last-card-change: 2022-07-19

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi