top of page


Keanna Grelicha, Counterintelligence and Cyber (CICYBER)

Shachi Gokhale, Editor; Demetrios Giannakaris, Senior Editor

November 2022

Keyboard Cyber[1]

Geographical Area | East Asia; South Asia; Western Europe; North America

Countries/Enterprises Affected | China; Sri Lanka

Winnti, a China-aligned threat actor, is targeting organizations based in Hong Kong as part of their ongoing espionage campaign called Operation CuckooBees.[2] They have been active since 2017 and carry out Chinese state-sponsored espionage activities to steal intellectual property (IP).[3] The campaign, dating back to 2019, targets organizations in the healthcare, telecommunication, high-tech, media, agriculture, and education sectors by using spear-phishing tactics with fraudulent emails to breach the victim’s network.[4] Operation CuckooBees has exfiltrated hundreds of gigabytes (GBs) from these organizations in East Asia, Western Europe, and North America.[5] The ongoing espionage campaign very likely poses security issues for organizations that are founded by China’s adversaries, as the cyber group very likely targets those organizations to obtain data for their Chinese counterparts. These activities would align with China’s Cybersecurity Law (CSL) that emphasizes their right to police their Internet borders, along with a level of control over the data.[6] The data theft very likely fuels their ongoing campaign and very likely allows China to monitor the activity within their borders to have control of their Internet.

Security Risk Level:

Areas of High Security Concern: The length of the espionage campaign using different variants of the Spyder malware indicates that Winnti is persistent, has specific targeting methods, and can conduct operations on victim networks without immediate detection.[7] Only through the investigation of Winnti operations were separate attacks uncovered, showing that government organizations in Sri Lanka were targeted in August 2022 and opened a new backdoor called DBoxAgent.[8] This kill-chain of attacks presents a high-security concern for compromised users who fall victim to the initial mode of entry of the phishing email that very likely allows the hackers to access personal identifiable information (PII) through these backdoors. The hackers will very likely use the PII to impersonate the users and send phishing emails from the compromised accounts to access further networks in the organization to collect additional data as part of the ongoing espionage campaign. These attack chains very likely allow the hackers to collect as much data as possible to fulfill their state-sponsored operation agreements. Winnti’s Chinese state-sponsorship affiliation almost certainly adds to the security concern for the targeted organizations that are aligned with countries who consider China an adversary, as it almost certainly poses a risk for Chinese oversight of their data operations that could include classified materials.

Current Claims: China; Sri Lanka

Current Attack: Winnti is conducting an espionage campaign against organizations in Hong Kong using spear-phishing emails to target victims and gain initial entry to their networks.[9] While inside the network, the group deploys a malware loader called Spyder, which targets information storage systems, collects data on devices, and provides command-and-control (C2) server communication to the cyber group.[10] The Spyder malware allows the cyber group to persist within the network and collect data while enabling a backdoor to drop other tools to exfiltrate data and export it back to their cloud storage service.[11]

Groups Involved in Attack: Winnti (aka APT41, Barium, Bronze Atlas, Wicked); Hong Kong-based organizations; technology and manufacturing companies in East Asia, Western Europe, and North America

Major Capital Industries: healthcare; telecommunication; high-tech, media, agriculture; education

Potential Industry Concerns: The targeted industries will very likely continue to be active victims of the espionage campaign as more employees fall victim to spear phishing emails if the industries do not implement end-user phishing awareness. The vulnerabilities of employees within the healthcare industry falling victim to a phishing email that allows the hacker entry to the servers would pose security concerns for the organization and the patient’s PII. Access to organization networks would very likely allow the hacker to surf the system and collect PII and critical data from the organization that the hacker could very likely use to conduct further espionage attacks or carry out identity theft or fraud. Organizations in the telecommunication, high-tech, media, agriculture and education industries almost certainly face the same security concerns if administrative employees or employees with connections to networks that hold PII and critical data were breached as well. These industries will very likely increase their security protocols to respond to the ongoing espionage campaign and mitigate threats based on previous Winnti targets. Increasing end-user awareness with phishing and fraud training, along with the implementation of multi-factor authentication (MFA) security protocols, will very likely decrease the success rate of Winnti obtaining sensitive data from the campaign.

Areas of Caution:

  • Government and Law: China’s CSL emphasizes its right to police the Internet within its borders and requires all organizations within its jurisdiction to undergo data process reviews to oversee critical information infrastructure operators and network platform operators within the organizations.[12] The attacks against government organizations in Hong Kong have been ongoing for over a year within the networks dating back to February 2021.[13] The link of Winnti to China with the ongoing espionage campaign draws parallels to the release of the CSL and the intention to monitor data processes of organizations within their territorial and Internet control. The ongoing campaign indicates that the use of threat actors to conduct espionage to collect data could continue in aiding China in enforcing its cyber laws and having monitoring power over the data processes within their Internet borders.

  • Cybersecurity and Political: The Chinese state-sponsored cyber group Winnti has stolen IP, sensitive documents, blueprints, diagrams, formulas, and proprietary data on the indicated organizations since 2019.[14] Winnti’s past targets have aligned with China’s geopolitical interests, and the cyber group has worked with Chinese government agencies to carry out espionage operations.[15] The work with Chinese governmental agencies indicates an ongoing concern for current organizations that are targeted by Winnti as they will very likely be able to obtain sensitive information based on their past success rate and then very likely share the data with Chinese political entities. The US Federal Bureau of Investigation (FBI) put hacker Tan Dailin on their wanted list, which has a link to APT41, a Winnti alias.[16] The cyber group’s activities and the FBI’s actions to identify specific individuals highlight the threat this group poses to targeted organizations and the potential for their data to be shared with China.

Predictive Analysis:

  • Who: Winnti, also tracked as APT41, will very likely continue using spear phishing techniques to exploit company end-users to gain access to the targeted organization’s networks and servers to collect PII and operational data. Organizations in Hong Kong will very likely be on high alert as the ongoing campaign has now been detected, which will very likely lead to the implementation of security protocols to mitigate any system vulnerabilities and remove any present malware. Previous attacks by Winnti on organizations in Sri Lanka will likely face an increase in espionage threats as this location in South Asia almost certainly holds strategic interests for China, which will very likely link with the state-sponsored operations.

  • What: The depth of the ongoing espionage campaign very likely indicates that Winnti will continue operations with spear phishing techniques to exploit organizations further and steal critical data like IP and proprietary data as done thus far. Accessing data on organizations in countries of interest to China will very likely provide the hackers with data to carry out cyberattacks on States that China deems a strategic target. The threat of cyberattacks on states by a state-sponsored group would very likely spur political and governmental action like sanctions on the group that would likely increase the threat of conflict.

  • Why: The sophistication of Winnti to remain undetected in its operations for the past 16 years almost certainly presents a security threat for all organizations that fit its target pattern, as these organizations were very likely unaware of possible espionage intrusions by this group. The ability for Winnti to persist even a year-long while targeting organizations in Hong Kong almost certainly solidifies their ability to stealthily access and gather data. Any lack of security protocols to defend against their malware and spear phishing tactics will very likely lead to the cyber group continuing to use it against organizations that are very likely of strategic interest to China to fulfill their state-sponsorship requirements.

  • When: The affiliation of Winnti as a Chinese state-sponsored group will very likely present further developments of their actions in the following months regarding past and ongoing espionage campaigns. Though some of their operations are now disclosed, the hacker group’s ability to remain undetected for a long period very likely provided them with ample time to collect data and perform reconnaissance on the targeted networks of Hong Kong-based organizations. The information gathered almost certainly poses an ongoing threat to those organizations as the group will very likely keep the data to carry out future operations to exploit targets further.

  • How: The spear phishing tactics will very likely include more advanced tools within the continued use of different Spyder malware variants and persist within the networks with the use of the new backdoor DBoxAgent. The hackers will likely develop tools with remote access trojans (RATs) and command and control (C2) operations to surf the accessed accounts to obtain network and server data. The RAT and C2 will very likely allow the hackers to automate their malware injections and destructive attacks with minimal oversight to expand their range of targets.

The CICYBER Team recommends that healthcare, education, agriculture, media, telecommunication, and high-tech companies work with their information technology (IT) departments or for smaller organizations within these industries to work with IT affiliates to address the lack of security protocols against phishing and espionage. It is highly recommended that the collaboration include employee and contractor training for all individuals regardless of their account privileges to company and agency networks. The training should include phishing awareness and encryption basics for privacy and security. Encryption will help protect both PII and company data and help separate the sensitive information within the network by establishing encryption requirements. These protocols will further protect the network from malicious access requiring more skills from the hackers to break encryption. It is also recommended for organizations to increase architectural and passive defense modes of security by implementing anti-malware and malware intrusion detection software into their systems to increase the rate of detection.

The Counterterrorism Group (CTG) works to detect, deter, and defeat terrorism and will continue to monitor the evolution of spear phishing tactics in cyberattacks for future developments. CTG’s Worldwide Analysis of Threats, Crimes, and Hazards (WATCH) Officers will monitor ongoing phishing attacks by Winnti and its aliases to help establish trends to aid in prevention methods against future incidents.


[1]Keyboard Cyber” by geralt licensed under Pixabay License

[2] Chinese 'Spyder Loader' Malware Spotted Targeting Organizations in Hong Kong, The Hacker News, October 2022,

[3] Ibid

[4] Ibid

[5] Ibid

[6] Cybersecurity 2022, Global Practice Guides | Chambers and Partners, March 2022,

[7] Chinese 'Spyder Loader' Malware Spotted Targeting Organizations in Hong Kong, The Hacker News, October 2022,

[8] Ibid

[9] Chinese 'Spyder Loader' Malware Spotted Targeting Organizations in Hong Kong, The Hacker News, October 2022,

[10] Ibid

[11] Ibid

[12] China’s Evolving Cybersecurity and Cyber Development Strategy, Jones Day, December 2020,

[13] Hackers compromised Hong Kong govt agency network for a year, Bleeping Computer, October 2022, ; Spyder Loader Malware Deployed Against Hong Kong Organizations, InfoSecurity, October 2022,

[14] Chinese APT group Winnti stole trade secrets in years-long undetected campaign, CSO Online, May 2022,

[15] Ibid

[16] Ibid


bottom of page