APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations.
Name: Stone Panda (CrowdStrike), APT 10 (Mandiant), menuPass Team (Symantec), menuPass (Palo Alto, FireEye), Red Apollo (PWC), CVNX (BAE Systems), Potassium (Microsoft), Hogfish (iDefense), Happyyongzi (FireEye), Cicada (Symantec), Bronze Riverside (SecureWorks), CTG-5938 (SecureWorks), ATK 41 (Thales), TA429 (Proofpoint), ITG01 (IBM)
Location: China
Suspected attribution: State-sponsored, Tianjin bureau of the Chinese Ministry of State Security, Huaying Haitai
Date of initial activity: 2006-2009
Targets: Construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan.
Motivation: Espionage
Associated malware: ANEL, ChChes, Cobalt Strike, PlugX, Poison Ivy, QuasarRAT, QuasarRAT Loader, RedLeaves
Attack vectors: This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through managed service providers. (For more information on infection via service providers see M-Trends 2016). APT10 spear phishes have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions (e.g. [Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases simply identically named decoy documents and malicious launchers within the same archive. In addition to the spear phishes, FireEye Threat Intelligence has observed APT10 accessing victims through global service providers.
How they work: This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. APT10 spear phishes have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions(e.g. “[Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases simply identically named decoy documents and malicious launchers within the same archive.
BRONZE RIVERSIDE, also known as APT10, Stone Panda, the MenuPass group and other names, has been targeting government, aerospace and defense organizations. In subsequent years, the scope of BRONZE RIVERSIDE targeting expanded. It is a significant threat to organizations producing intellectual property in industry verticals that have been identified as strategically important by the Chinese state; or to any organizations who provide managed IT infrastructure services to those who do. The scale and persistence of this activity is indicative of a well-resourced and capable actor, although it also raises questions around the organizational structure of Chinese threat groups and the degree to which access and infrastructure might be being shared across threat groups.
