loader gif

APT10: A brief look into the Chinese hacker group’s targets and operations

China - East Asia,Internet,Chinese Culture,Technology,Chinese Ethnicity,Computer,Searching,Global Communications,Transportation,Visit,Black Color,Business Travel,Button,Campaign Button,Coat Of Arms,Computer Keyboard,Connection,Country - Geographic Area,Desktop PC, Enter Key, Entering, Flag, Global, Global Business, Horizontal, International Landmark, International Match, National Landmark,
  • This Chinese threat actor is mostly known for targeting Western government agencies around the world.
  • Most of the targets are aimed at acquiring valuable military and intelligence information as well as trade secrets.

APT10 is a prolific Chinese cyber-espionage group that has been active since early 2009. It is also known by other names such as Stone Panda, CVNX Potassium and Red Apollo. Researchers from CrowdStrike claim that the threat actor group is believed to be directly connected to the Chinese Ministry of State Security’s (MSS) Tianjin bureau, Threat Post reported.

Primary targets

This threat actor is mostly known for targeting Western government agencies around the world. Since 2013, the threat actor is alleged to be behind a series of cyber attacks targeting various countries including Japan, Canada and France. Most of the targets are aimed at acquiring valuable military and intelligence information as well as trade secrets in order to support Chinese corporations.

The group has been linked to two recent massive attack campaigns namely - ‘Cloud Hopper’ and ‘Operation TradeSecret’.

The first campaign - Cloud Hopper - was carried out against managed security service provider in several countries in order to steal sensitive data and intellectual property. Canada, France, South Africa, Australia, Japan and India were among the affected countries.

The second campaign - Operation TradeSecret - involved a strategic web compromise on a prominent US lobbying group related to the US’ foreign trade policy.

Modus Operandi

The recent cyber attacks by APT10 include both traditional spear phishing and access to victim’s networks through service providers. In the case of spear phishing attack, APT10 leverages .lnk files or files with double extensions in order to trick its victims. In some cases, it creates decoy documents in order to launch malware.

Another process used by APT10 involves accessing victim’s networks through global service providers. To initiate the process, the APT first compromises the network of the service provider, which in turn enables them to gain significant access to customers’ networks. This allows the APT group to interfere with a customer’s web traffic and exfiltrate data stealthily.

Most of the cyber espionage attacks by APT10 involves a SOGU backdoor malware - which is used to connect the victim’s network with the C2(Communication and Control) server.

Stone Panda unveiled new tools during 2016/2017 attacks. While it continued to use SOGU in most the attacks, the current wave of intrusion involved the usage of other backdoor malware such as HAYMAKER, SNUGRIDE, BUGJUICE and QUASARRAT.

Tactics, Techniques and Procedures (TTP)

APT10 is a threat to government organizations and agencies worldwide. Their abuse of service provider networks proofs that the peripheral organizations continue to be of top interest to these malicious actors. Their TTP include:

  • Using a custom dropper for their various implants. This dropper makes use of DLL side-loading to execute main payloads.
  • Using custom backdoor malware to attack targeted MSPs, engineering and other sectors.
  • Masking documents with malicious malware in order to trick users.
loader gif