Threat actors from the notorious APT41 group, which is suspected of being backed by the Chinese government, infiltrated a major gambling company, compromising its entire network infrastructure.
Security Joes' Incident Response Team detailed the attack in a 2024 report. APT41 used advanced tactics to maintain stealth access for nearly nine months, stealing sensitive data such as user passwords and secrets from the LSASS process and adapting their toolset to bypass all installed security systems.
During this time, attackers employed a variety of techniques, including DCSync attacks, Kerberoasting, and the impersonation technique known as Silver Tickets.
These techniques enabled them to move laterally across the network, increasing their access and deploying more malware via covert channels.
Security tools proved ineffective as threat actors used custom-developed tools, some of which had not previously been documented in any cybersecurity investigation.
APT41, also known as Winnti, has a long history of high-profile cyber intrusions that frequently combine espionage with financially motivated cybercrimes.
Their persistence and ability to remain undetected while actively gathering critical information, such as user credentials and sensitive data from LSASS memory, distinguishes them as among the most sophisticated adversaries in the cyber domain.
The group also established covert channels to deploy malware and maintain control over the affected endpoints, leaving little evidence for detection.
Despite the gambling industry's security defenses, hackers continued to adapt.
When security measures were implemented, APT41 changed tactics, incorporating new methods for staying under the radar.
“They would vanish for a time after detection, only to return later with new techniques to continue their foothold,” Security Joes' team noted.
Sophos linked this attack to a larger state-sponsored campaign known as Operation Crimson Palace, which connected APT41's intrusion to broader Chinese cyber-espionage activities.
The malware used in this case was unique, with no prior appearance in other threat analyses, making the group's innovation even more dangerous to the targeted industries.
APT41's history is riddled with espionage accusations, but their involvement in financial crimes such as ransomware and cryptocurrency theft adds another layer of risk to industries like gambling, where large sums of money are at stake.
“The attackers were studying the defenders' reactions, fine-tuning their tools accordingly,” Security Joe said.