China's APT41 Manages Library of Breached Certificates

China's APT41 Manages Library of Breached Certificates

A freelance Chinese APT group is actively managing a library of compromised code-signing digital certificates to support cyber-espionage attacks targeting supply chain vendors, according to Venafi.

The security vendor’s latest research report details the work of APT41, an unusual group in that it has previously been observed carrying out attacks for both traditional state-sponsored cyber-espionage and personal financial gain.

Venafi claimed that using the certificates and keys that authenticate pieces of code are a key part of its tactics.

APT41 is reportedly managing a library of these certs and keys – some purchased from underground marketplaces, some obtained from other Chinese attack groups and some stolen by APT41 itself.

This shared resource allows members of the group to select the appropriate certificate for their needs, “dramatically” improving success rates, according to Venafi.

These attacks, conducted in support of China’s long-term economic, military and political goals – are often directed at the digital supply chain, allowing easy compromise of downstream customers.

“Code-signing machine identities allow malicious code to appear authentic and evade security controls. The success of attacks using this model over the past decade has created a blueprint for sophisticated attacks

Read More: