"We assess with high confidence that multiple publicly reported threat actors operate with some shared goals and resources as part of the Chinese state intelligence apparatus," reads a key judgement in the 401TRG's report. Attacks carried out by hacking groups Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda and GREF are alleged to be under the "Winnti umbrella," and perceived shared goals and hacking methods are said to link the Winniti umbrella to China's state intelligence apparatus.
In rare cases, network intrusions were traced back to a district in Beijing, which researchers say is a slip-up. Shared methods include the practice of using a previously hacked network to launch new offensives.
"Though the TTPs (Tactics Techniques and Procedures) of the attacking teams vary depending on the operation, their use of overlapping resources presents a common actor profile," the report says.
"Key interests during attacks often include the theft of code-signing certificates, source code and internal technology documentation. They also may attempt to manipulate virtual economies for financial gain," the report says, adding that the financial objective of the hackers is unconfirmed and secondary to political aims.
Despite allegedly being an arm of the People's Republic of China, the report says "the financial secondary objective [of the Winnti umbrella] may be related to personal interests of the individuals behind the attacks."
The decade of hacks examined in the report include initial targets in the US, Japan, South Korea and China, which were gaming studios and technology businesses. However, "the broader organization's main targets are political," according to 401TRG. "Historically, this has included Tibetan and Chinese journalists, Uyghur and Tibetan activists, the government of Thailand and prominent international technology organizations," the group said.