This is the APT41 / Barium / Winnti / Wicked Panda / Wicked Spider intrusion group
Some interesting points for infosec folks:
1) Very rapid turnarounds of publicly disclosed security exploits into active campaigns
2) Most of this group's activities were targeting IoT/router/VPN things that corps are less good at quickly patching
Part of what makes this group "advanced" is leveraging compromises to enable further compromises and persistence. So here, for example, compromising victim #1, stealing their code signing certs, and pushing signed malware to that victim's targeted customers
This is also a laundry-list of many key problems for infosec:
1) Spear-phishing: still problematic
2) Supply-chain (malicious update) compromises
3) Breaking into corp networks via rapid-turnaround public bugs in unpatched IoT/VPN/routers and then pivoting to the internal network
You can follow @pwnallthethings.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: