Chinese cyberspies are evolving their tactics, focusing on IT staffers, relying more and more on spear-phishing instead of malware, and gathering code signing certificates from hacked software companies in the preparation of future supply-chain attacks.

These are some of the main points of a 45-page report [HTML, PDF] released yesterday by 401TRG, the Threat Research & Analysis Team at ProtectWise.

Experts analyzed the TTPs (tactics, techniques, and procedures) used across the years by a group previously referred to as Winnti, after the name of one of its main tools, the Winnti backdoor.

Chinese APTs are becoming one big melting pot

Now, 401TRG analysts refer to the group as Winnti Umbrella, a generic term to describe a large part of the entire Chinese intelligence apparatus, as several previously separate cyber-espionage groups appear to use the same tactics and infrastructure of the original Winnti group (also known in some reports as Axiom or APT17).

After years of observing operation mistakes and seeing reuse of older attack infrastructure, researchers say that previously separate advanced persistent threats (APTs) such as BARIUM, Wicked Panda, GREF, and PassCV, now appear to share Winnti techniques and some of their infrastructure.

“TTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the Chinese intelligence community shares human and technological resources across organizations,” 401TRG experts say. “We assess with medium to high confidence that the various operations described in this report are the work of individual teams, including…