Jiang Lizhi, 35, works at a company called Chengdu 404 Network Technology Company Ltd. in the capital city of China’s Sichuan province. He’s the Vice President for the Technical Department of Chengdu 404.
Chengdu 404 bills itself as a network security company, with “elite ‘white hat’ hackers” providing defensive measures and data analytics services. According to a U.S. federal indictment, their marketing says they provide penetration testing, password recovery services, ‘mobile device forensics,’ and other services.
But what the company’s top executives really do is execute global cyberattacks as Advanced Persistent Threat group 41, or APT41, according to the indictment released in August.
APT41’s main focus appears to disrupt software supply chains by stealing software companies’ business data, source code, and customer account information. APT41 also changed the software products’ code to deliver malware to the software companies’ customers.
However, APT41 didn’t limit itself to software companies.
Prosecutors say APT41 hacked into “more than 100 victim companies, organizations, and individuals in the United States” and 13 other countries worldwide. Some of the attacks appeared to be spying, from attacks on hotel reservation systems to stealing call record information from telecoms.
Prosecutors said APT41 used sophisticated hacking techniques and publicly available exploits and tools to take advantage of known “common vulnerabilities and exposures” – the CVE notices of software updates. Other times, they relied on phishing and fake resume attachments to deliver malware.
In one example provided in the indictment, prosecutors said APT41 installed malware on numerous computers used by an Indiana-based research university with a veterinary science and pharmacy school. Prosecutors didn’t name the school in the indictment.
In another example, prosecutors said APT41 sent 362 spear-phishing emails over three days. The emails looked like someone sent a resume as an attachment. But the attachment actually delivered malware.
The U.S. also accused APT41 of hacking into gaming companies to steal digital tokens providing extra game points, powers, and other benefits. Investigators think these attacks were an after-hours “hobby” of the APT41 crew, which sold the pilfered game points and capabilities on the Dark Web.
Finally, prosecutors also accused APT41 of delivering ransomware or crypto-jacking malware to cover their “costs” when their hacking failed to produce valuable data. Crypto-jacking is when a criminal secretly installs cryptocurrency processing software on victim computer systems to gain free processor power to acquire more digital money.
Jiang, whom investigators say sometimes uses an online persona called “Blackfox,” worked in his 20s for a different Chinese company. Prosecutors say this was a hacking group that served government agencies and boasted of close connections with China’s Ministry of State Security.
At this first company, he met and collaborated with other hackers who’ve also been indicted by the U.S. for cyber-attacks and theft, according to prosecutors.
Prosecutors also published an intercepted email conversation from 2012 between Jiang and another hacker. In the exchange, Jiang says that hacking was “my old business” and that he had been using phishing websites and spear-phishing emails. He said a 2012 goal was to improve his computer hacking skills to go after Linux operating systems.
In another email exchange, Jiang advised a different hacker colleague to “not touch domestic stuff anymore” – apparently because the colleague didn’t have the same “protection” from the government as Jiang did.
“Jiang boasted that he was ‘the classic example of maintaining low key,’ and claimed that he was ‘very close’ with the ‘GA,’ meaning the PRC Ministry of State Security,” according to the U.S. indictment. The indictment said the two hackers agreed that Jiang’s association with China’s Ministry of State Security protected him from police actions, “unless something very big happens.”
Jiang is believed to be living in China and probably in Chengdu, although the USDOJ did not provide further specifics.