Chengdu, a city in Sichuan Province, has emerged as a significant hub for hacking activities, largely due to its laid-back atmosphere, rich educational resources, and unique culture. The Natto Team’s research highlights connections between local companies and advanced persistent threat (APT) groups, particularly APT41, while also exploring the social dynamics of Chengdu’s teahouses and hotpot restaurants that foster networking among hackers. Affected: Chengdu, APT41, i-SOON, Sichuan Silence Information Technology, Chengdu 404, NoSugar Tech
Keypoints :
- Chengdu is recognized as a hotspot for hacking activities, with significant APT presence.
- The Natto Team identified i-SOON’s links to APT41 and its role as a hacker-for-hire.
- Chengdu’s laid-back lifestyle and educational institutions attract hackers.
- Local teahouses and hotpot restaurants serve as informal meeting places for hackers.
- Chengdu has a strong pipeline of cybersecurity talent from its universities.
- Several Chengdu-based companies have connections with local educational institutions.
- Chengdu was designated as a “City of Gastronomy” by UNESCO in 2011.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: APT41 utilized application layer protocols for command and control.
- T1086 – PowerShell: Used for executing scripts to facilitate malicious activities.
- T1203 – Exploitation for Client Execution: APT41 exploited software vulnerabilities to execute code.
- T1499 – Endpoint Denial of Service: Engaged in denial of service attacks against targets.
- T1566 – Phishing: APT41 employed phishing techniques for initial access.
Indicator of Compromise :
- [domain] i-SOON.com
- [domain] chengdu404.com
- [domain] sichuansilence.com
- [others ioc] APT41
- [others ioc] Tianfu Cup
- Check the article for all found IoCs.
Full Research: https://malware.news/t/chengdu-teahouses-hotpots-universities-and-hackers/89994