Nation-State Actor
Winnti Group
China • Active since 2009
Winnti started by hacking video game companies but now attacks all kinds of tech firms. They sneak their malware into legitimate software updates, so when you update your software, you also install their backdoor.
Overview
Winnti Group is a Chinese state-sponsored threat group that initially targeted the gaming industry but expanded to pharmaceuticals, technology, and telecommunications. They are known for supply chain attacks.
Also Known As
Axiom, Barium, APT17
Target Industries
Gaming, Pharmaceuticals, Technology, Telecommunications, Software
Target Regions
Global, Asia, Europe, United States
Is your business exposed?
Tactics, Techniques & Procedures
- • Supply chain compromise
- • Trojanized software updates
- • Stolen code signing certificates
- • SQL Server backdoors
- • Living off the land
Known Tools & Malware
Winnti, ShadowPad, PlugX, Crosswalk, Skip-2.0
Notable Campaigns
ASUS Supply Chain Attack (2018)
Compromised ASUS Live Update to distribute malware to hundreds of thousands.
CCleaner Compromise (2017)
Backdoored CCleaner software affecting 2.27 million users.
MITRE ATT&CK Techniques
T1195.002, T1553.002, T1505.001, T1059, T1078
Defense Recommendations
- 1.
Implement software bill of materials
- 2.
Monitor for ShadowPad indicators
- 3.
Verify software update authenticity
Related Threat Actors
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required