chinese cyberespionage bootcamps training recruits in the art of supply chain attacks for over a decade

New report from Venafi shows Chinese threat actors targeting code signing certificates for use in software supply chain attacks

 Venafi®, the inventor and leading provider of machine identity management, today published a new report analyzing attack patterns of the state-backed Chinese hacking group, APT41 (also known as the Winnti Group). The research, APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks, shows that:

  • APT41 is unique among China-based threat groups as they leverage specially crafted, non-public malware typically reserved for espionage activities for financial gain, likely outside the scope of state-sponsored missions.
  • Critical to the success of this attack method, APT41 has made code signing keys and certificates — which serve as machine identities that authenticate code — a primary target.
  • Compromised code signing certificates are used as a shared resource for large teams of attackers because they act as an attack force multiplier and dramatically increase the odds of success.
  • This strategic, long-term focus is a primary factor in APT41’s ability to successfully compromise a wide range of high value targets across multiple industries including healthcare, foreign governments, pharmaceuticals, airlines, telecommunications, and software providers.

Venafi warns that APT41’s success means their unique use of compromised code signing machine identities and supply chain attacks will become the preferred method of other threat groups—and businesses need to be prepared for more nation-state attack groups that use compromised code signing machine identities.

“APT41 has repeatedly used code signing machine identities to orchestrate a string of high-profile attacks that support China’s long-term economic and political goals and military objectives,” commented Yana Blachman, threat intelligence specialist at Venafi. “Code signing machine identities allow malicious code to appear authentic and evade security controls. The success of attacks  using this model over the last decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect. Since targeting the Windows software utility CCleaner in 2018 and the ASUS LiveUpdate in 2019, APT41’s methods continue to improve. Every software provider should be aware of this threat and take steps to protect their software development environments.”

One of APT41’s preferred methods of entry is to compromise the supply chain of a commercial software vendor. This lets them efficiently target a pool of companies that use the commercial software to gain access to carefully chosen victims. APT41 then uses secondary malware to infect only those targets that are of interest for cyberespionage purposes. Once compromised, APT41 spreads laterally across victim networks using stolen credentials and a variety of reconnaissance tools. APT41 uses unique pieces of malware to steal valuable intellectual property and customer-related data only from these very specific targets.

Code signing machine identities are so crucial to APT41’s attack methods that the group is actively managing a library of code signing certificates and keys stolen or purchased from underground dark web marketplaces and other Chinese attack groups to bolster their supplies. Previous Venafi research has shown that code signing certificates are readily available for purchase on the dark web, selling for up to $1,200 each.

“Today, attackers are disciplined, highly skilled software developers, using the same tools and techniques as the good guys,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “They recognize that vulnerabilities in the software build environment are easy to exploit, and they’ve spent years developing, testing and refining the tools needed to steal code signing machine identities. This research should set off alarms with every executive and board because every business today is a software developer. We need to get a lot more serious about protecting code signing machine identities.”

About Venafi

Venafi is the cybersecurity market leader in machine identity management, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, SSH, code signing, mobile and IoT. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise—on premises, mobile, virtual, cloud and IoT—at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With more than 30 patents, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 5000 organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the top four accounting and consulting firms; four of the top five U.S. retailers; and the top four banks in each of the following countries: the U.S., the U.K., Australia and South Africa.

For more information, visit:


Why can’t we just put a space station on the Moon already?

How to Always Open Emails in Maximized Windows

Try this helpful trick if you're tired of squinting to see your email?

View more: How to Always Open Emails in Maximized Windows

How to Create a New Folder in Windows

Instructions for Windows 10 and 11

View more: How to Create a New Folder in Windows

‘Take a break’: Instagram asks Gen Z users to spend less time using its app

Instagram on Tuesday launched a feature that urges teenagers to take breaks from the photo-sharing platform and announced other tools aimed at protecting young users from harmful content on the Facebook-owned service. The previously announced “Take A Break” feature encourages teens to stop scrolling if they have been on ...

View more: ‘Take a break’: Instagram asks Gen Z users to spend less time using its app

Veon launches digital ID authentication to rival Big Tech

A man uses his mobile phone while walking past a board showing currency exchange rates of the U.S. dollar, euro and British pound (top-bottom) against Russian rouble in Moscow, Russia, August 24, 2015. REUTERS/Sergei Karpukhin Register now for FREE unlimited access to MOSCOW, Dec 7 (Reuters) – Telecoms ...

View more: Veon launches digital ID authentication to rival Big Tech

Irish watchdog completes Instagram investigation over children's data

Silhouettes of mobile users are seen next to a screen projection of Instagram logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic DUBLIN, Dec 7 (Reuters) – Ireland's data regulator has completed a draft ruling on social network Instagram's (FB.O) handling of children's personal data and shared ...

View more: Irish watchdog completes Instagram investigation over children's data

Intel shares surge on potential windfall from Mobileye listing

Visitors are seen at the Intel booth during the China Digital Entertainment Expo and Conference, also known as ChinaJoy, in Shanghai, China July 30, 2021. REUTERS/Aly Song Register now for FREE unlimited access to Dec 7 (Reuters) – Intel Corp shares (INTC.O) surged 7% on Tuesday as Wall ...

View more: Intel shares surge on potential windfall from Mobileye listing

Nissan executive expects semiconductor shortage to continue until mid-2022

The Nissan logo is seen on a car wheel at Nissan Gallery in Yokohama, Japan November 29, 2021. REUTERS/Androniki Christodoulou Dec 7 (Reuters) – Japanese carmaker Nissan's (7201.T) Chief Operating Officer Ashwani Gupta expects supply chain constraints and the global semiconductor shortage to continue until at least mid-2022, he ...

View more: Nissan executive expects semiconductor shortage to continue until mid-2022

ABB CEO wants to accelerate acquisitions drive

Rohingya refugees sue Facebook for $150 billion over Myanmar genocide

2021 Holiday Gift Guide: Stop making these mistakes when buying smartphones and other tech gifts

What’s All the Fuss About Apple’s M1X MacBook Pro?

The MacBook Pro Is Highly Repairable...for a Mac

Samsung Begins Production of Industry's Smallest DDR5 DRAM

ASUS Announces New Vivobook 13 Slate OLED 2-in-1 Laptop

The New iPad mini Is a Bundle of Joy

AMD and Microsoft Release Updates to Fix Windows 11 Slowdown Issues

Apple's M1 Max GPU Runs Circles Around Original M1 Chip

Kobo Announces Two New E-Readers, One With Note-Taking Capabilities

Microsoft Reveals Surface Go 3 and Ocean Plastic Mouse