ATK41

Presumed Origin: China < Back

Alias: APT 10, APT10, BRONZE RIVERSIDE, CVNX, Cicada, Cloud Hopper, DustStorm, HOGFISH, POTASSIUM, Red Apollo, Stone Panda, happyyongzi, menuPass, menuPass Team

ATK41 (aka: APT10, Stone Panda, CVNX, MenuPass Group, Potassium, Red Apollo, Hogfish, Cloud Hopper, DustStorm, Happyyongzi) is a threat group that appears to originate from China and has been active since approximately 2009. The group is also used to conduct supply chain attacks in order to infiltrate large groups to conduct industrial espionage campaigns. Among the preferred targets of this group are companies in the energy, high-tech and manufacturing sectors.

 

However, some of the attackers have been arrested by the US FBI. Indeed, on 17 December 2018, a grand jury in the United States District Court for the Southern District of New York indicted ZHU HUA , a.k.a. "Afwar", a.k.a. "CVNX", a.k.a. "Alayos", a.k.a. "Godkiller", and ZHANG SHILONG , a.k.a. "Baobilong", a.k.a. "Zhang Jianguo", a.k.a. "Atreexp". The defendants worked for Huaying Haitai

Science and Technology Development Company located in Tianjin, China, and acted in association with the Tianjin State Security Bureau of the Chinese Ministry of State Security.

 

Target sector

  • Aerospace
  • Defense
  • Energy
  • Financial Services
  • Government and administration agencies
  • Healthcare
  • High-Tech
  • Manufacturing
  • Media

Target countries

  • Belgium
  • China
  • France
  • Germany
  • Mexico
  • Philippines
  • Japan
  • Korea, Republic of
  • India
  • Hong Kong
  • Singapore
  • Taiwan
  • Thailand
  • United Arab Emirates
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America
  • Viet Nam

Attack pattern

  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1016 - System Network Configuration Discovery
  • T1018 - Remote System Discovery
  • T1021 - Remote Services
  • T1022 - Data Encrypted
  • T1027 - Obfuscated Files or Information
  • T1036 - Masquerading
  • T1038 - DLL Search Order Hijacking
  • T1039 - Data from Network Shared Drive
  • T1046 - Network Service Scanning
  • T1047 - Windows Management Instrumentation
  • T1049 - System Network Connections Discovery
  • T1053 - Scheduled Task
  • T1056 - Input Capture
  • T1059 - Command-Line Interface
  • T1064 - Scripting
  • T1073 - DLL Side-Loading
  • T1074 - Data Staged
  • T1076 - Remote Desktop Protocol
  • T1078 - Valid Accounts
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1090 - Connection Proxy
  • T1093 - Process Hollowing
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1140 - Deobfuscate/Decode Files or Information
  • T1193 - Spearphishing Attachment
  • T1199 - Trusted Relationship
  • T1204 - User Execution

Motivation

  • Espionage

Malwares

  • ChChes
  • EvilGrab
  • Mimikatz
  • Mis-Type
  • Misdat
  • PoisonIvy
  • QuasarRAT
  • RedLeaves
  • S-Type
  • SNUGRIDE
  • UPPERCUT
  • ZLib
  • Sodamaster

Vulnerabilities

  • CVE-2020-1472