{
	"id": "99242c5e-2d8f-4a10-9c1d-fe30c645f01c",
	"created_at": "2026-04-06T00:07:42.294486Z",
	"updated_at": "2026-04-10T03:32:21.270542Z",
	"deleted_at": null,
	"sha1_hash": "0fd407a9350ce94b7bd446e586fb88ccab415adc",
	"title": "Report: Chinese government is behind a decade of hacks on software companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33660,
	"plain_text": "Report: Chinese government is behind a decade of hacks on\r\nsoftware companies\r\nBy Dan Goodin\r\nPublished: 2018-05-05 · Archived: 2026-04-05 14:36:10 UTC\r\nKaspersky said it discovered ShadowPad through a referral from a partner in the financial industry that observed a\r\ncomputer used to perform transactions was making suspicious domain-name lookup requests. At the time,\r\nNetSarang tools were used by hundreds of banks, energy companies, and pharmaceutical manufacturers.\r\nOpsec mistakes\r\nProtectWise said since the beginning of the year, members of Winnti have waged phishing attacks that attempt to\r\ntrick IT workers in various organizations to turn over login credentials for accounts on cloud services such as\r\nOffice 365 and G Suite. One campaign that ran for eight days starting on March 20 used Google’s goo.gl link-shortening service allowed ProtectWise to use Google’s analytics service to glean key details. An image of the\r\nmessage appears at the top of this post.\r\nThe service showed that the link was created on February 23, some three weeks before the campaign went live. It\r\nalso showed the malicious phishing link had been clicked a total of 56 times: 29 times from Japan, 15 times from\r\nthe US, two times from India, and once from Russia. Chrome browsers clicked on the link 33 times, and 23 clicks\r\ncame from Safari users. Thirty clicks came from Windows computers, and 26 from macOS hosts.\r\nAttackers who got access to targets’ cloud services sought internal network documentation and tools for remotely\r\naccessing corporate networks. Attackers who succeed typically used automated processes to scan internal\r\nnetworks for open ports 80, 139, 445, 6379, 8080, 20022, and 30304. Those ports indicate an interest in Web, file\r\nstorage services, and clients that use the Ethereum digital currency.\r\nMost of the time, the attackers use their command-and-control servers to conceal their true IP addresses. In a few\r\ninstances, however, the intruders mistakenly accessed the infected machines without such proxies. In all those\r\ncases, the block of IPs were 221.216.0.0/13, which belongs to the China Unicom Beijing Network in the Xicheng\r\nDistrict.\r\n“The attackers grow and learn to evade detection when possible but lack operational security when it comes to the\r\nreuse of some tooling,” the report concluded. “Living off the land and adaptability to individual target networks\r\nallow them to operate with high rates of success. Though they have at times been sloppy, the Winnti umbrella and\r\nits associated entities remain an advanced and potent threat.”\r\nSource: https://arstechnica.com/information-technology/2018/05/researchers-link-a-decade-of-potent-hacks-to-chinese-intelligence-group/\r\nhttps://arstechnica.com/information-technology/2018/05/researchers-link-a-decade-of-potent-hacks-to-chinese-intelligence-group/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://arstechnica.com/information-technology/2018/05/researchers-link-a-decade-of-potent-hacks-to-chinese-intelligence-group/"
	],
	"report_names": [
		"researchers-link-a-decade-of-potent-hacks-to-chinese-intelligence-group"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434062,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0fd407a9350ce94b7bd446e586fb88ccab415adc.pdf",
		"text": "https://archive.orkl.eu/0fd407a9350ce94b7bd446e586fb88ccab415adc.txt",
		"img": "https://archive.orkl.eu/0fd407a9350ce94b7bd446e586fb88ccab415adc.jpg"
	}
}