Bringing cybersecurity globally to critical and complex key activities
Alias: APT 17, APT17, APT 41, APT41, Aurora Panda, Axiom, BRONZE ATLAS, BRONZE EXPORT, Barium, Blackfly, Deputy Dog, DeputyDog, Dogfish, Group 8, Group 72, Group72, Hidden Lynx, Lead, Ragebeast, Suckfly, Tailgater, Tailgater Team, Wicked Panda, Wicked Spider, WinNTI, Winnti Group, Winnti Umbrella
ATK2 (aka: Aurora Panda) group has been in operation since at least 2009 and is most likely a professional organization that offers a “hackers for hire” service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the group would need to be a sizeable organization made up of between 50 and 100 individuals.
The members of this group are experts at breaching systems. They engage in a two-pronged strategy of mass exploitation and pay-to-order targeted attacks for intellectual property using two Trojans designed specifically for each purpose:
Much of the attack infrastructure and tools used during these campaigns originate from network infrastructure in China. The ATK2 group makes regular use of zero-day exploits and has the ability to rework and customize exploits quickly. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region, such as the Comment Crew (also known as APT1). The ATK2 group is an advanced persistent threat that has been in operation for at least four years and is breaking into some of the best-protected organizations in the world. With a zero-day attack already under their belt in 2013, they continue to operate at the leading edge of targeted attacks.
Between January and March 2020, APT41 launch a large scan attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central on a large number of companies in many sectors and countries. During these exploitation attempt, APT41 only used publicly available malware such as Cobalt Strike and Meterpreter. These tools were propably used as reconnaissance step before useing more advanced custom malwares. This campaign shows that the group is ressourceful and can quickly leverage newly disclosed vulnerabilities.
REFERENCES