Threat Actor Profile
Origin: China, 2010
Aliases: Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110
Key Target Sectors: Aerospace, Defense, Construction and Engineering, High Tech, Telecommunications, and Transportation
Attack Vectors: Spear Phishing, Backdoor, Zero-day Attacks
Target Region: Eastern Asia, North America
Malware Used: Shotput, Sogu, PlugX, OSInfo, RemoteCMD, DoublePulsar, FuzzBunch, EternalBlue, EternalSynergy, EternalRomance
Vulnerabilities Exploited: CVE-2014-6332, CVE-2019-0703, CVE-2017-0143, CVE-2015-3113, CVE-2014-4113
Tools Used: Schtasks, CookieCutter
APT3 (aka Gothic Panda, Pirpi, Buckeye) is a China-based threat group that was first discovered in 2010. The group is linked to the Chinese Ministry of State Security (China's Intelligence Services) and held responsible for several popular cyber espionage campaigns, including Operation Clandestine Wolf (2015), Clandestine Fox (2014), and Double Tap (2014). The group is known to target countries like South Korea, Hong Kong, and the United States of America.
Which organizations have they targeted?
APT3 has targeted organizations in various sectors, including Aerospace, Defense, Transportation, Telecommunications, Construction Engineering, and High Tech. In the initial years of its discovery, the group mostly targeted US-based organizations of strategic importance, like Moody's Analytics, Siemens AG, and Trimble, Inc. In 2015, the group shifted its focus from US victims to political organizations located in Hong Kong (because of upcoming Hong Kong’s 2016 elections). In March 2018, the Olympic Winter Games in Pyeongchang, South Korea, was hit by a cyber attack (OlympicDestroyer), that caused temporary disruption to IT systems, including the official Olympics website, Wi-Fi connections and display monitors. The numerous code fragments used in that cyber attack were uniquely linked to threat actor groups tracked as APT3, APT10, and APT12.
What is their motivation behind the attacks?
The group is known to steal critical information from private organizations or government entities, to fulfill the larger Chinese political economic or military goals. The threat actors are interested in the exfiltration of essential government documents to gain a strategic and competitive advantage for the Chinese government and private organizations. For instance, at present when several ambitious projects of China are unfolding, like One Belt One Road (OBOR) projects, the APT3 could be seen targeting the project’s regional opponents.
APT3 has a history of using browser-based exploits such as zero-days (e.g., Adobe Flash Player, Firefox, and Internet Explorer) to infiltrate inside the targeted network. For instance, in one of their cyber campaigns in April 2014 (Operation Clandestine Wolf), they exploited a now-patched vulnerability (CVE-2015-3113) in Adobe Flash Player 126.96.36.199. After successfully exploiting and infiltrating into a targeted host, they quickly dump credentials, move sideways to additional hosts, and install the custom backdoors (like RemoteCMD, OSInfo, and ShotPut). APT3 is also known to use spear-phishing emails with compressed executable attachment. The APT's command and control (CnC) infrastructure is hard to track and attribute, as there is little overlap across their campaigns (as it happened only once when the same domain was used in operation Clandestine Fox and Double Tap).
Known tools and malware
APT3 utilizes a wide range of techniques and tools, including spearphishing attacks, zero-day exploits, as well as custom-built malware. The group also used variants of the sophisticated hacking tools connected to other popular groups, including the Equation Group.
Known Zero Days Vulnerabilities
- Unicorn Bug (CVE-2014-6332) - A critical vulnerability that allows remote code execution in Internet Explorer.
- Windows SMB Information Disclosure Vulnerability (CVE-2019-0703) - An information disclosure vulnerability that exists in the way that the Windows SMB Server handles certain requests.
- Windows SMB Remote Code Execution Vulnerability (CVE-2017-0143) - A remote code execution vulnerability that exists in the way the Microsoft Server Message Block 1.0 (SMBv1) server handles specific requests. This vulnerability is used in EternalSynergy and EternalRomance exploits.
- Adobe Flash Player Heap-based buffer overflow (CVE-2015-3113) - An unspecified heap-based buffer-overflow vulnerability in Adobe Flash Player.
- Windows Kernel-Mode Vulnerability (CVE-2014-4113) - An local privilege-escalation vulnerability that existed in Microsoft Windows-based platform.
Note - All the above vulnerabilities have been patched by the respective vendors, and updated versions can be downloaded from their websites.
Malicious programs used by APT3
- PlugX - It is a remote access tool (RAT), based on modular plugins. Multiple threat groups have been using it for various campaigns.
- Sogu - It is a Trojan horse that opens a back door on the compromised computer.
- DoublePulsar, FuzzBunch, EternalBlue, EternalSynergy, and EternalRomance - Sophisticated tools connected to the Equation Group, an NSA-linked APT group. APT3 had used these tools for more than a year before the Shadow Brokers leak happened in Summer 2016.
Known Commercial/Open Source tools used by APT3
- Schtasks - It is used to schedule the execution of programs or scripts on a Windows system to run at a specific date and time.
- CookieCutter - A command-line utility that creates projects from project templates (E.g. Python package projects, jQuery plugin projects).
Custom tools used by APT3
- OSInfo - It is a custom tool used by APT3 to make an internal discovery on a victim's computer and network.
- ShotPut - It is a custom backdoor used by APT3.
- RemoteCMD - It is a custom tool used by APT3 to execute commands on a remote system similar to Sys Internal's PSEXEC functionality.
In 2016, three individuals responsible for purchasing APT3 domains for cyber-espionage campaigns were identified, named as Wu Yingzhuo, Dong Hao and Xia Lei. All three individuals had a long history of purchasing infrastructure used by APT3. Wu Yingzhuo and Dong were the major shareholders of a Chinese InfoSec company called the Guangzhou Boyu Information Technology Company, Ltd. (Boyusec). The Pentagon intelligence officials identified Boyusec as being a contractor for the Chinese Ministry of State Security (MSS). In Nov 2017, an indictment was unsealed in the USA against them.
To thwart off cyber-attacks from threats like APT3, the organizations should deploy endpoint protection solutions with real-time intelligence and automated tactical threat intelligence exchange. Given the prevalence of attacks used by APT3 that exploit known vulnerabilities, rigorous patch management, and vulnerability assessments practices are a must. Combating APTs like this requires a combination of techniques and tools that ideally work in an orchestrated manner. Orchestration tools that allow real-time Threat Intel ingestion, analysis, correlation, dissemination and actioning through automated Playbooks can go a long way in tackling the nefarious designs of such APTs. Network monitoring can also help expose suspicious activities, like using network APT detection solutions can help detect custom malware used by APT3. The APT3 is also known to use spear-phishing, which could be prevented via giving proper training to IT professionals and employees with phishing simulations, tough policies and periodic refreshers that discourage unsafe behaviors.
Indicators of Compromise
951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7 1c9f1c7056864b5fdd491d5daa49f920c3388cb8a8e462b2bc34181cef6c1f9c 3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e 7bfad342ce88de19d090a4cb2ce332022650abd68f34e83fdc694f10a4090d65 6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc 01f53953db8ba580ee606043a482f790082460c8cdbd7ff151d84e03fdc87e42 53145f374299e673d82d108b133341dc7bee642530b560118e3cbcdb981ee92c cbe23daa9d2f8e1f5d59c8336dd5b7d7ba1d5cf3f0d45e66107668e80b073ac3
Originating IP Address