APT3
Who is APT3?
APT3 is a sophisticated attack group that has been attributed to China's Ministry of State Security (MSS). [1] FireEye first reported about APT3 in 2010, and various researchers have followed attacks attributed to this group as recently as 2017. [3][5]
In 2017, a researcher wrote about links between APT3, Boyusec, and Chinese MSS. Boyusec is a cybersecurity contractor for MSS which was reported as also having ties to Huawei Technologies. [14][15] Before 2015, APT3 targeted industries based in the US and UK to steal "intellectual property and other confidential information worth stealing." These attacks shifted targets to Hong Kong during 2015, and "increased significantly in March 2016." [3]
Aliases
- Gothic Panda
- Buckeye
- UPS Team
- TG-0110
Associated Individuals & Organizations
- Huawei Technologies
- Guangdong ITSEC
- Chinese MSS
- Boyusec
Notable Attacks
- Operation Clandestine Fox
- Operation Clandestine Wolf
- Operation Double Tap
FireEye connects IP addresses used in Operation Double Tab to a domain used in Operation Clandestine Fox. 192.184.60.229, used in Double Tap, was associated with securitywap.com. APT3 use securitywap.com during Operation Clandestine Fox. The IP address 104.151.248.173 was used in both Operation Double Tap and associated with domains used by APT3 in past campaigns. [11]
Tactics
APT3 uses a methodical approach for gaining access to victims, establishing persistence, pivoting to additional systems, and extracting information the Chinese government views as strategic to future goals. They have commonly used mass phishing campaigns to distribute malware and get an initial foothold. APT3 has used both zero-days and known exploits to deliver backdoors, which allows them to move to the next steps of their attack chain.
An example payload used during Operation Clandestine Wolf was XOR encoded and appended to a GIF file.
Malware
- Hupigon
- Pirpi
- ScanBox
Common steps APT3 takes after system compromise [2]
- Generate a particularly timed beacon that communicates over HTTP
- Drop the command line Chinese language version of WinRAR on the target
- Replace sticky keys with cmd.exe for persistence and access via RDP
- Turn on RDP if it's not already enabled
- Index and archive all office documents, compress and encrypt them with RAR and a specific password and store them in the recycle bin
- Enable the support_388945a0 account and add it to the local admin group
- Exfiltrate the data encoded over port 443 (but not SSL)
- Setup an insecure service for persistence / privilege escalation
Targets
- Government
- Research institutions
- Technology
- Aerospace
- Defense
- Transport
- Manufacturing
- Telecommunications
- Hong Kong organizations
References
[1] https://attack.mitre.org/groups/G0022/
[2] http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html
[4] https://intrusiontruth.wordpress.com/2017/05/02/who-is-mr-wu/
[5] https://www.fireeye.com/blog/threat-research/2010/11/ie-0-day-hupigon-joins-the-party.html
[6] https://www.symantec.com/connect/blogs/new-ie-zero-day-used-targeted-attacks
[7] https://www.recordedfuture.com/chinese-mss-behind-apt3/
[9] https://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html
[11] https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
[12] https://pwc.blogs.com/cyber_security_updates/2015/02/a-deeper-look-into-ScanBox.html
[14] https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/