APT41 activity down during China COVID-19 quarantines; massive campaign undeterred

COVID-19 spreading through parts of China did not entirely deter APT41 from carrying out one of the largest campaigns ever conducted by a Chinese cyberespionage group.

The attacks were not directly tied to the Coronavirus outbreak nor did the attackers attempt to leverage the virus in any way, but FireEye noted the group's activity did decrease at two points during the campaign as China began to lockdown regions to contain the illness.

“We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,” the report stated.

Overall, between January 20 and March 11 FireEye tracked the gang attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central at more than 75 in 20 different countries, including the United States, UK and Japan. APT41 cast its net quite wide attempting to obtain information from companies in the banking, construction, defense, news and manufacturing sectors.

FireEye has detailed the exact vulnerabilities APT41 attempted to leverage.

With the Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with CVE-2019-19781, which was first disclosed in December 2019. A software update was issued, but FireEye noted these attacks were specifically conducted against Citrix devices indicating the malicious actors knew ahead of time which devices to attack.