Go to listing page

APT10: A Chinese Threat on a Global Espionage Mission

APT10: A Chinese Threat on a Global Espionage Mission

Share Blog Post

Origin: 2006.

Aliases: Bronze Starlight, Cicada, Cloud Hopper, Red Apollo, CNVX, Stone Panda, MenuPass, POTASSIUM, MenuPass Group, APT 10

Targeted Sectors: Construction and Engineering, Aerospace, Telecom, Government

Targeted Regions: North America, Western Asia, Eastern Asia, Western Europe, Eastern Europe, and Africa.

Motive: Espionage, Data Theft

Malware Used: ScanBox, Quasar, BugJuice, SnuGride, HayMaker, Uppercut, RedLeaves, PlugX, Hartip, SodaMaster, Ecipekac, P8RAT, FYAnti, Impacket.AI, Rook, Pandora, AtomSilo, LockFile, and Night Sky.

Tools Used: AdFind, certutil, Cobalt Strike, Ecipekac, esentutl, Mimikatz, PsExec, and pwdump.

Introduction

Believed to be active since 2006, APT10 is a Chinese state-sponsored cyberespionage group, possibly connected to the Chinese Ministry of State Security (MSS). In 2018, the group was reported snooping and stealing trade secrets and technologies from at least 12 countries. Multiple security agencies track the group with different names such as MenuPass by FireEye, Stone Panda by Crowdstrike, APT10 by Mandiant, and POTASSIUM by Microsoft.

In June 2022, this group was observed using ransomware attacks as a decoy to cover up its malicious activities, which is an uncommon tactic to be used by an APT group.

Attack Methods

APT10 has been using traditional attack methods such as spear-phishing, as well as modern tactics such as supply chain attacks. Since 2009, the group has mostly been using LNK files within archives and files with double extensions in its spear-phishing attacks. In some cases, it used identically named decoy documents and malicious launchers inside the same archive.

Starting in 2017, according to Mandiant, APT10 began hacking and accessing victims’ networks through global service providers, via sophisticated supply chain attacks. Service providers usually have significant access to customer networks that allows an attacker to move laterally inside a compromised network and infect more systems.

Additionally, the group is known to have used DLL Hijacking/DLL side-loading to run a payload in memory, and process hollowing techniques to remove code in an executable file and replace it with malicious code.

In 2017, Operation Cloud Hopper spread over 70 variants of backdoors, malware, and trojans using spear-phishing emails. The attacks scheduled tasks or used services/utilities to persist in Windows systems. Further, they installed malware and hacking tools to access systems and steal data.

In addition to this, APT10 was observed abusing some trending flaws, including ProxyLogon and ProxyShell, in Exchange Servers to target its victims. Around mid-2022, it was seen in an attack campaign carrying a ransomware payload to hide its espionage-related intentions and manipulate security professionals. It was apparently creating short-lived ransomware strains while targeting Japanese and western organizations to steal their intellectual properties by posing ransomware.

Malware and Tools

The APT10 gang has used various malware in its attacks:

The group has used a wide range of tools in its attack campaigns, including AdFind, certutil, Cobalt Strike, Ecipekac, esentutl, Mimikatz, PsExec, PowerSploit, Wevtutil, esentutl, tcping, Ntdsutil, Csvde, and pwdump.

Attribution

APT10 is believed to have strong connections with Chinese state agencies, and its operations are mostly aligned with Chinese national interests. The group has participated in cyberattacks targeting the 2018 Olympics, which is considered one of the most deceptive hacks. Researchers identified numerous code fragments in the Olympic Destroyer malware, ultimately linking it back to APT10. In September, a mysterious threat hunting group named Intrusion Truth reported that APT10 is associated with the Chinese intelligence agency, particularly China’s Ministry of State Security (MSS). The report also named two Chinese individuals Zhu Hua and Zhang Shilong, who was later charged with breaking into the networks of more than 45 technology firms and some U.S. government agencies.

In 2020, Symantec uncovered an attack campaign by Cicada targeting multiple Japanese organizations in the pharmaceutical, engineering, and automotive sectors, as well as managed service providers. Eventually, it turned out that the same group that the U.S. government agencies have been tracking as APT10.

In April 2022, APT10 activities overlapped with another threat group named TA410. The TA410 group was seen using an upgraded version of malware called JollyFrog, which has been attributed to APT10 by Fortinet. Moreover, another tool used by TA410, called FlowingFrog, shares network infrastructure (the domain ffca.caibi379[.]com) with APT10’s JolllyFrog malware, providing further hints of a connection between the duo.

Attack Profile

As mentioned above, the U.S. federal agencies have been tracking APT10 for targeting MSPs, including Hewlett Packard Enterprise and IBM, and other IT companies across a dozen states. The group mostly targets aerospace, engineering, and telecom firms and any government that is a rival of the Chinese regime.

Additionally, the threat actor has targeted manufacturing companies located in India, Japan, and Northern Europe. At present, it is often observed targeting North America and East Asia.

Notable attacks

2014 to 2018: From 2014 to 2018, the group carried out Operation Cloud Hopper, an extensive attack and theft of information directed at MSPs in the U.K, U.S., Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea, and Australia. The group used MSPs as intermediaries to acquire assets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies. Records of more than 130,000 U.S. Navy personnel, including their Social Security numbers, dates of birth, and salaries, were acquired by the cybercriminals. Around the end of 2018, it was revealed that around nine global service providers, including IBM and HPE, were compromised by these attacks.

2019 to 2022: In mid-2019, German software maker TeamViewer disclosed that it was targeted by a China-linked threat actor, possibly APT10, back in 2016. The same year, ADEO IT Consulting Services reported that APT10 has a particular interest in Turkey, for which it was targeting critical sectors such as finance and telecommunications.

Over the next three years, the group carried out several attacks on various industries, some of the notable ones are as follows. In 2020, a large-scale attack campaign targeted various Japanese organizations, including subsidiaries located in 17 regions worldwide. In 2021, the group targeted the IT systems of two Indian vaccine makers whose coronavirus shots were used in the country's immunization campaign. 

At the beginning of 2022, a Taiwan-based security agency linked APT10 to attacks exploiting a vulnerability in a security product that was used by around 80% of organizations in the Taiwanese financial sector. Moreover, in June 2022, the gang was found stealing intellectual property from Western and Japanese firms using HUI Loader to deploy remote access trojans. 

Mitigation

Spear-phishing is one of the oldest and primary attack methods used by APT10, and therefore, organizations are suggested to provide training to their employees on identifying and responding to phishing emails. The group is well versed in using a wide range of malicious tools. A multi-layered approach toward security, along with behavior-based anti-malware solutions, could be an effective strategy as the initial line of defense. Further, to limit external access to devices, implement strong access control for users, maintain effective endpoint security, and enable effective log files for devices, systems, and applications.

But, that isn’t enough in a hyper-connected world of devices to protect them, keeping the APTs’ growing sophistication in mind. It urges for a holistic security program that is threat intelligence-driven and automation-enabled. Security teams need to leverage real-time threat intelligence to stay aware of changing tactics of the threat in the current thriving cyberattack landscape. Such a security strategy helps in improving threat prediction and producing actionable and positive outcomes.

Conclusion

APT10 has been successfully operating for more than a decade and is still active with new espionage operations, which indicates the continuous efforts made by its operators to keep it active and hidden. Further, it uses a vast range of tool sets, including multiple malware to carry out attacks, pointing toward the wide range of skills and availability of resources. APT10, just like other China-based entities, targets entities that are aligned with the geopolitical interests of that nation.
.

Indicators of Compromise


June 2022
SHA1
5df448af3f7935c3f4a2904b16af9ea00d13cb0c
46a9b419d73a518effbc19c3316d8a20cff9ce4a
Dbc48357bfbe41f5bfdd3045066486e76a23ad2d
B24e254f6fdd67318547915495f56f8f2a0ac4fe
d9efd4c4e1fb4e3d4a171c4ca0985839ad1cdee9 a413f4bcb7406710b76fabdaba95bb4690b24406 160320b920a5ef22ac17b48146152ffbef60461f 3246867705e8aad60491fe195bcc83af79470b22 ead02cb3f6b811427f2635a18398392bc2ebca3a 64f5044709efc77230484cec8a0d784947056022 a75e9b702a892cc3e531e158ab2e4206b939f379

MD5
F3355c8f43dada5a62aab60089c03d1e
B0175b09e58d34689a7403abed2ae2f5
577a47811b3c57a663bcbf2aab99c9e3
69ef2d7f9ed29840b60a7fd32030cbd1
f259765905cd16ff40132f35c85a862a
bde2a3c8e034d30ce13e684f324c6702
0c4a84b66832a08dccc42b478d9d5e1b
4c3c7053ec145ad3976b2a84038c5feb
a4a6abf4ed4c9447683fba729a17197b
809fcab1225981e87060033d72edaeaf
b16bb2f910f21e2d4f6e2aa1a1ea0d8b

SHA256
c7a515276883a03981accfac182341940eb36071e2a59e8fb6cb22f81aa145ae 5b5cd007fb96eef68d3d123eba82a4e4dfce50cdf3b05fe82bfa097870c09903 70225015489cae369d311b62724ef0caf658ffdf62e5edbafd8267a8842e7696 91f8805e64f434099d0137d0b7ebf3db3ccbf5d76cd071d1604e3e12a348f2d9 7fe5674c9a3af8413d0ec71072a1c27d39edc14e4d110bfeb79d1148d55ce0b6 f04f444d9f17d4534d37d3369bf0b20415186862986e62a25f59fd0c2c87562f 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b 15b52c468cfd4dee4599ec22b1c04b977416fbe5220ab30a097f403903d28a3a b0fb6c7eecbf711b2c503d7f8f3cf949404e2dd256b621c8cf1f3a2bdfb54301 62fea3942e884855283faf3fb68f41be747c5baa922d140509237c2d7bacdd17 8502852561fcb867d9cbf45ac24c5985fa195432b542dbf8753d5f3d7175b120

April 2022
IP
45[.]124[.]115[.]103
185[.]225[.]19[.]17
94[.]158[.]245[.]249
5[.]252[.]179[.]227
222[.]186[.]151[.]141
47[.]111[.]22[.]65
114[.]55[.]109[.]199
185[.]225[.]17[.]39
43[.]254[.]216[.]104
45[.]124[.]115[.]103
161[.]82[.]181[.]4
43[.]254[.]219[.]153
154[.]223[.]141[.]36
103[.]139[.]2[.]93

SHA1
C96558312FBF5847351B0B6F724D7B3A31CCAF03 1403241C415A8D686B1148FA4229A2EB833D8D08 38D0E92AFF991CFC9C68D7BAAD6CB85916139AF5 AF978ED8AD37CE1437A6B42D96BF518D5C4CFD19 B70F3A3A9B5B8506EE95791469CA496E01AD7DAF 014421BDB1EA105A6DF0C27FC114819FF3637704 EA298866E5A61FEEA4D062987F23B10A78C8A4CA 021B9E2E8AA30B29569254C0378A9F43E4F32EEC 2A2F08FAD6B0A86DC94885224687D954E739CC21 3658B7CCA13C8C8AD03E9B6AEFE4B9CBE48E3C81 517488F6BD0E7FC9EDE82F37226A75212B277E21 C05B4AD7A3322917E17710842FB88A090198D51F DB2DF1BDF8145CB8ABA3A2026A3CC3EF4F1762BE EDE2AB811311FC011B1E89C5A0B7A60C123B7398 7AA35BA7030AFCD271436DE8173D7B2F317A1BFC A5C02ABE698300F3DE0B7CC7F0856652753831DA 613C4AFAE8F5F80F22DCD1827E3230FCA361ADA5 859CD6DFDADAB3D6427C6C1C29581CB2094D648F DBEA7F0C0D2BF8BC365A2D1572CA1538FE8FB9A3 ADD5B4FD9AEA6A38B5A8941286BC9AA4FE23BD20 7BA42061568FF6D9CA5FE5360DCE74C25EA48ADA D81215890703C48B8EA07A1F50FEC1A6CA9DF88B F359D3C074135BBCA9A4C98A6B6544690EDAE93D 621B31D5778EC2FB72D38FB61CED110A6844D094 BC11DC8D86A457A07CFE46B5F2EF6598B83C8A1F C369E1466F66744AA0E658588E7CF2C051EE842F B868764C46BADC152667E9128375BA4F8D936559 BDECA89B4F39E6702CE6CBBC9E6D69F6BBAB01C8 5379FBB0E02694C524463FDF7F267A7361ECDD68 6CC6170977327541F8185288BB9B1B81F56D3FD0 D95185A4A3F8512D92F69D2ED7B8743638C54BE8 BE7F0E41CD514561AED43B07AA9F5F0842BF876C 7F663F50E9D6376715AEB3AB66DEDE038258EF6C BEDA1224B3BB9F98F95FF7757D2687F4D9F4B53A 2B61E7C63A0A33AAC4CF7FE0CEB462CF6DACC080 EF3C796652141B8A68DCCF488159E96903479C29 6B547C244A3086B5B6EA2B3A0D9594BBE54AE06B 4CDCE3AF614C2A5E60E71F1205812AB129C0955B

Filenames
setlangloc[.]dll
hidmouse[.]sys
winver32[.]dll
hhh[.]exe
winver64[.]dll
phx[.]dll
libcurl[.]dll
meterpreter[.]exe
responsor[.]dat
OnKeyToken_KEB[.]dll
m[.]exe qrt[.]dll
qrt[.]dll[.]usb
sll[.]exe
PresentationCache[.]exe
HTra[.]exe
HTran13[.]exe
event[.]exe
htran[.]exe
htran_f-secury[.]exe
inbt[.]zip
msd017[.]exe

 Tags

olympic destroyer code
financial firms
telecommunications
threat intelligence feeds
proxyshell
dll hijacking
cloud hopper
taiwanese
ibm
proxylogon
cicada
teamviewer
hewlett packard enterprise
spear phishing attempt

Posted on: August 08, 2022

Related Guides


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.