APT 10
   HOME

TheInfoList



OR:

Red Apollo (also known as APT 10 by
Mandiant Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireE ...
, MenuPass by
Fireeye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company that was founded in 2022. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and ana ...
, Stone Panda by
Crowdstrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of seve ...
, and POTASSIUM by
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
) is a
Chinese Chinese may refer to: * Something related to China * Chinese people, people identified with China, through nationality, citizenship, and/or ethnicity **Han Chinese, East Asian ethnic group native to China. **'' Zhonghua minzu'', the supra-ethnic ...
state-sponsored
cyberespionage Cyber espionage, cyber spying, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers th ...
group which has operated since 2006. In a 2018 indictment, the
United States Department of Justice The United States Department of Justice (DOJ), also known as the Justice Department, is a United States federal executive departments, federal executive department of the U.S. government that oversees the domestic enforcement of Law of the Unite ...
attributed the group to the
Tianjin State Security Bureau The Tianjin State Security Bureau (; TSSB) is a bureau of the Chinese Ministry of State Security in Tianjin which serves as the direct-administered municipality's intelligence service and secret police. Established in December 1983 from parts ...
of the Ministry of State Security. The team was designated an
advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...
by Fireeye, who reported that they target aerospace, engineering, and telecom firms and any government that they believe is a rival of
China China, officially the People's Republic of China (PRC), is a country in East Asia. With population of China, a population exceeding 1.4 billion, it is the list of countries by population (United Nations), second-most populous country after ...
. Fireeye stated that they could be targeting intellectual property from educational institutions such as a Japanese university and is likely to expand operations into the education sector in the jurisdictions of nations that are allied with the
United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...
. Fireeye claimed that they were tracked since 2009, however because of the low-threat nature they had posed, they were not a priority. Fireeye now describes the group as "a threat to organizations worldwide."


Tactics

The group directly targets managed information technology service providers (MSPs) using
RAT Rats are various medium-sized, long-tailed rodents. Species of rats are found throughout the order Rodentia, but stereotypical rats are found in the genus ''Rattus''. Other rat genera include '' Neotoma'' (pack rats), '' Bandicota'' (bandicoo ...
. The general role of an MSP is to help manage a company's computer network. MSPs were often compromised by Poison Ivy, FakeMicrosoft, PlugX, ArtIEF,
Graftor Hupigon (also Graftor) detected as (Backdoor.Win32.Hupigon, Trojan.Win32.Hupigon, Backdoor.Win32.Graftor, and Trojan.Win32.Graftor) is a backdoor Trojan. Its first known detection goes back to November 2008, according to Securelist from Kaspersk ...
, and ChChes, through the use of
spear-phishing Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticate ...
emails.


History


2014 to 2017: Operation Cloud Hopper

Operation Cloud Hopper was an extensive attack and theft of information in 2017 directed at MSPs in the United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea and Australia. The group used MSP's as intermediaries to acquire assets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies. Operation Cloud Hopper used over 70 variants of backdoors,
malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
and
trojans Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 1890 ...
. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to persist in
Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
systems even if the computer system was rebooted. It installed malware and hacking tools to access systems and steal data.


2016 US Navy personnel data

Hackers accessed records relating to 130,000
US Navy The United States Navy (USN) is the naval warfare, maritime military branch, service branch of the United States Department of Defense. It is the world's most powerful navy with the largest Displacement (ship), displacement, at 4.5 millio ...
personnel (out of 330,000). Under these actions the Navy decided to coordinate with
Hewlett Packard Enterprise Services DXC Technology Company is an American multinational information technology (IT) services and consulting company headquartered in Ashburn, Virginia. History DXC Technology was founded on April 3, 2017, through a merger between Hewlett Packar ...
, despite warnings being given prior to the breach. All affected sailors were required to be notified.


2018 Indictments

A 2018 Indictment showed evidence that CVNX was not the name of the group, but was the alias of one of two hackers. Both used four aliases each to make it appear as if more than five hackers had attacked.


Post-Indictment activities

In April 2019 APT10 targeted government and private organizations in the
Philippines The Philippines, officially the Republic of the Philippines, is an Archipelagic state, archipelagic country in Southeast Asia. Located in the western Pacific Ocean, it consists of List of islands of the Philippines, 7,641 islands, with a tot ...
. In 2020 Symantec implicated Red Apollo in a series of attacks on targets in Japan. In March 2021, they targeted
Bharat Biotech Bharat Biotech International Limited (BBIL) is an Indian multinational biotechnology company based in Hyderabad, which is engaged in drug discovery, drug development, and the manufacture of vaccines, biotherapeutics, pharmaceuticals and health ...
and the Serum Institute of India (SII), the world's largest vaccine maker's intellectual property for exfiltration.


See also

*
China–United States relations The relationship between the China, People's Republic of China (PRC) and the United States (US) is one of the most important foreign relations in the world. It has been complex and at times tense since the Proclamation of the People's Republi ...
*
Cyberwarfare and China Cyberwarfare is the strategic use of computer technology to disrupt the functions of a state or organization, specifically through the deliberate targeting of information systems for military or tactical purposes. In the People's Republic of Chin ...


References

{{authority control Cyberespionage units of the Ministry of State Security (China) Hacking in the 2000s Hacking in the 2010s Information technology in China Military units and formations established in the 2000s Cybercrime in India Organizations based in Tianjin Indian intellectual property law China–India relations