SESSION

The online entertainment business is not a notable victim when we talk about Advanced Persistent Threat (APT) attacks. Previously, APT research emphasized the victims in the public sector, such as the government, military, or critical infrastructure. It was not until 2020 that security researchers started to shed light on APT attacks against the online entertainment industry. For instance, TrendMicro's "Operation DRBControl" suggested that China-nexus APT41 and APT27 had targeted gambling and betting entities.

This talk will focus on APT's targeted attack against online entertainment companies which have solid cash flow and a massive amount of personal data. Previously, many cases were believed to be financially-motivated attacks because of the usage of ransomware. However, based on our observation in the past few years, APT attacks against online entertainment companies are also driven by espionage purposes.

We will dissect more than 20 targeted attack operations TeamT5 has tracked since 2018. Our analysis shows technical links between these targeted attacks and the infamous Chinese APT, including APT10 (aka menuPass), APT41 (aka Winnti, Amoeba), and APT27 (aka GreedyTaotie). Our presentation will cover these attacks' Tactic Technique and Procedures (TTPs). We have seen those APT groups adopt different TTPs aimed at the online entertainment industry. We detected the well-known China-origin weapons such as PlugX, ZxShell, and APT's shared tools such as Hyperbro, PlugX2016, and CoinDrop. Many campaigns even deployed ransomware for double extortion.

More importantly, these cases gave us a peek into China's strategic move. We believe that these APT attacks are the preliminary work of the Chinese government. After these intensive attacks of APT, we have seen China is officially purging the online entertainment and gambling industry. Our strategic intelligence indicates several possible scenarios which could lead us to believe the ultimate goal of these APT attacks.