APT10, also known as Stone Panda, is a sophisticated Chinese state-sponsored cyber-espionage group that has been active since at least 2006. The group has seen several incarnations as an advanced persistent threat (APT) and is infamous for its exploits. Believed to be a well-funded and technically proficient group, APT10 has developed several tools and techniques that have been adopted by other cybercrime organizations like APT12 and TA410. This post will briefly review the history of AP10 activity from the earliest attributed attacks to the present. Later articles will provide a more in-depth analysis of APT10's tooling and its processes when exploiting a network, in addition to the latest intel on its activities.
APT10 has a massive operation, and its network of influence goes around the globe. Attacks against the following countries have been credited to the group:
- Brazil
- Canada
- Australia
- Finland
- France
- Germany
- India
- Japan
- Sweden
- Switzerland
- United Arab Emirates
- United Kingdom
- United States
- Turkey
- Hong Kong
- Israel
- India
- Italy
- Montenegro
For an APT to conduct operations like this, it must be well-funded and well-organized. Therefore an APT this large is typically backed by a nation-state. The common attribution of APT10 is with the People's Republic of China (PRC), which has not stated any affiliation with this threat or with its members. APT10’s main goal is the acquisition of sensitive data, which we can track by exploring a timeline of the group’s exploits.
Timeline Overview
2006: The Technology Theft Campaign
According to an indictment released by the United States Department of Justice (DOJ), “First, beginning in or about 2006, members of the APT10 Group… engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of commercial and defense technology companies and U.S. Government agencies to steal information and data concerning a number of technologies (the ‘Technology Theft Campaign’).”[1] The DOJ is referring to the first significant campaign conducted by APT10, which targeted various industries throughout the United States. The attacks successfully stole "hundreds of gigabytes of sensitive data."
2014: The MSP Theft Campaign and US Navy Attack
This campaign is called the MSP Theft Campaign. APT10 targeted managed service providers (MSPs) that provide outsourced services. Since MSPs have multiple customers, they are a prime target because all the data is stored in one location. If the MSPs are compromised, all the data sent to them is also. The compromise would also include direct lines into the customer's network.
The final attack in the DOJ's report was an attack conducted against the United States Navy. The report stated, "APT10 Group compromised more than 40 computers in order to steal sensitive data belonging to the Navy, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel."[2]
In total, three extensive attacks were conducted over eight years, resulting in a 2018 indictment for two of APT10's alleged members. That record is only the beginning of APT10. They have remained active until 2022. From the DOJ's report, one can deduce that APT10 has three massive targets Government organizations, Individual businesses with proprietary data, and businesses with proprietary access to the latter.
Today: APT10 Attacks Continue
While this timeline is composed of publicly disclosed actions taken by APT10, it is not an exhaustive list, as some attacks in the late 2010s have not been released to the public due to their sensitive nature. The reach of APT10 is very broad; it has demonstrated its ability to conduct multiple campaigns worldwide.
Every company that is the bearer of sensitive information can help itself by protecting its information from APT10. In future articles, we will assist in that process by analyzing APT10’s tools and processes, and providing detection methods to spot these attacks.
References
The MSP Theft Campaign (2006 - Unk.)
The Technology Theft Campaign (2006- Unk.)
APT10: A Chinese Threat on a Global Espionage Mission | Cyware | Research and Analysis
(Possible) TeamViewer Attack (2016)
APT10: A Chinese Threat on a Global Espionage Mission | Cyware | Research and Analysis
Japanese Academics and Organizations (2017)
APT 10 Unveiled new tools (2016/2017)
APT10 MenuPass Group | Global Targeting Using New Tools (mandiant.com)
Operation Cloud Hopper (2017)
APT10: A Chinese Threat on a Global Espionage Mission | Cyware | Research and Analysis
Operation Cloud Hopper: What You Need to Know - Wiadomości bezpieczeństwa (trendmicro.com)
9 global MSPs hit in APT 10 Attacks (2018)
At least nine global MSPs hit in APT10 attacks: ACSC | ZDNET
LODEINFO (2019 - 2022)
APT10: Tracking down LODEINFO 2022, part I | Securelist
APT10: Tracking down LODEINFO 2022, part II | Securelist
Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)
APT10 (Stone Panda) QuasarRAT Operation Against Taiwanese Banks and Financial Institutions(2021)
Mid-2021 - February 2022 Wide Campaign
Apt10’s most recent campaign has no official name, due to the vast number of victims being targeted. These attacks have targeted locations all over the globe and are most likely still happening without anyone noticing.
Victims are primarily government-related institutions but include telecoms, legal, and pharmaceutical sectors.
APT10 Espionage Attacks on U.S. Orgs Uncovered | Decipher (duo.com)
