ATK41

Presumed Origin: China < Back

Alias: APT 10, APT10, BRONZE RIVERSIDE, CVNX, Cicada, Cloud Hopper, DustStorm, HOGFISH, POTASSIUM, Red Apollo, Stone Panda, happyyongzi, menuPass, menuPass Team

ATK41 (aka: APT10, Stone Panda, CVNX, MenuPass Group, Potassium, Red Apollo, Hogfish, Cloud Hopper, DustStorm, Happyyongzi) is a threat group that appears to originate from China and has been active since approximately 2009. The group is also used to conduct supply chain attacks in order to infiltrate large groups to conduct industrial espionage campaigns. Among the preferred targets of this group are companies in the energy, high-tech and manufacturing sectors.

However, some of the attackers have been arrested by the US FBI. Indeed, on 17 December 2018, a grand jury in the United States District Court for the Southern District of New York indicted ZHU HUA , a.k.a. "Afwar", a.k.a. "CVNX", a.k.a. "Alayos", a.k.a. "Godkiller", and ZHANG SHILONG , a.k.a. "Baobilong", a.k.a. "Zhang Jianguo", a.k.a. "Atreexp". The defendants worked for Huaying Haitai

Science and Technology Development Company located in Tianjin, China, and acted in association with the Tianjin State Security Bureau of the Chinese Ministry of State Security.

REFERENCES

- https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/
- 06/04/2017, FireEye, APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat
- 15/08/2018, Intrusion Truth, APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security
- 13/09/2018, FireEye, APT10 Targeting Japanese Corporations Using Updated TTPs
- 06/02/2019, Recorded Future, APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign
- 24/05/2019, enSilo, Uncovering New Activity By APT10
- 16/02/2017, Unit42, menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
- 23/12/2016, Cylance, Operation Dust Storm
- 26/06/2019, Reuters, Inside the West’s failed fight against China’s ‘Cloud Hopper’ hackers
- 21/12/2018, FBI, APT 10 GROUP
- 17/11/2020, Symantec, Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign
- http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
- https://www.cfr.org/interactive/cyber-operations/apt-10
- https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf

Target sector

Aerospace
Defense
Energy
Financial Services
Government and administration agencies
Healthcare
High-Tech
Manufacturing
Media

Target countries

Belgium
China
France
Germany
Mexico
Philippines
Japan
Korea, Republic of
India
Hong Kong
Singapore
Taiwan
Thailand
United Arab Emirates
United Kingdom Of Great Britain And Northern Ireland
United States Of America
Viet Nam

Attack pattern

T1002 - Data Compressed
T1003 - Credential Dumping
T1005 - Data from Local System
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1021 - Remote Services
T1022 - Data Encrypted
T1027 - Obfuscated Files or Information
T1036 - Masquerading
T1038 - DLL Search Order Hijacking
T1039 - Data from Network Shared Drive
T1046 - Network Service Scanning
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053 - Scheduled Task
T1056 - Input Capture
T1059 - Command-Line Interface
T1064 - Scripting
T1073 - DLL Side-Loading
T1074 - Data Staged
T1076 - Remote Desktop Protocol
T1078 - Valid Accounts
T1086 - PowerShell
T1087 - Account Discovery
T1090 - Connection Proxy
T1093 - Process Hollowing
T1105 - Remote File Copy
T1107 - File Deletion
T1140 - Deobfuscate/Decode Files or Information
T1193 - Spearphishing Attachment
T1199 - Trusted Relationship
T1204 - User Execution

Motivation

Espionage

Malwares

ChChes
EvilGrab
Mimikatz
Mis-Type
Misdat
PoisonIvy
QuasarRAT
RedLeaves
S-Type
SNUGRIDE
UPPERCUT
ZLib
Sodamaster

Vulnerabilities

CVE-2020-1472