Red Apollo

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Red Apollo
红色阿波罗
Formationc. 2003–2005[1]
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Region
China
MethodsZero-days, Phishing, backdoor (computing), RAT, Keylogging
Official language
Chinese
Parent organization
Tianjin TMSS [1]
Formerly called
APT10
Stone Panda
MenuPass
RedLeaves
CVNX
POTASSIUM

Red Apollo (also known as APT 10 (by Mandiant) , MenuPass (by Fireeye), Stone Panda (by Crowdstrike), and POTASSIUM (by Microsoft))[2][3][4]is a Chinese cyberespionage Group. A 2018 Indictment by the Federal Bureau of Investigation claimed that they were a State-sponsored group linked to the Tianjin Field Office of the Ministry of State Security, operating since 2006.

The team was designated by Fireeye as an Advanced Persistent Threat. Fireeye states that they target aerospace, engineering, and telecom firms and any government that they believe is a rival of China.

Fireeye stated that they could be targeting intellectual property from educational institutions such as a Japanese university and is likely to expand operations into the education sector in the jurisdictions of nations that are allied with the United States.[5] Fireeye claimed that they were tracked since 2009, however because of the low-threat nature they had posed, they were not a priority. Fireeye now describes the group as "a threat to organizations worldwide."[6]

Tactics[edit]

The group directly targets Managed Information Technology Service Providers (MSP's) using RAT. The general role of an Managed Service Provider (MSP) is to help manage a company's computer network. MSP's were often compromised by Poison Ivy, FakeMicrosoft, PlugX, ArtIEF, Graftor, and ChChes, through the use of spear-phishing emails.[7]

Cycle[edit]

Phase One Dropper[8]

History[edit]

2014 to 2017 Operation Cloud Hopper[edit]

Operation Cloud Hopper was an extensive attack and theft of information in 2017 directed at Managed IT Service Providers (MSPs) in United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea and Australia. The group used MSP's as intermediaries to acquire assets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to persist in Microsoft Windows systems even if the computer system was rebooted. It installed malware and hacking tools to access systems and steal data.[9]

2016 US Navy personnel data[edit]

Hackers accessed records relating to 130,000 US Navy personnel out of 330,000 personnel.[10] Under these actions the Navy decided to coordinate with Hewlett Packard Enterprise Services, despite warnings being given prior to the breach.[11] All affected sailors were required to be notified.

2018 Indictments[edit]

A 2018 Indictment showed evidence that CVNX was not the name of the group, but was the alias of one of two hackers. Both used four aliases each to make it appear as if more than five hackers had attacked.

2019 Post Indictment Activity[edit]

In April 2019 APT10 targeted government and private organizations in the Philippines.[12]

See also[edit]

References[edit]

  1. ^ "Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information". www.justice.gov. December 20, 2018.
  2. ^ https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html
  3. ^ https://www.crowdstrike.com/blog/two-birds-one-stone-panda/
  4. ^ https://powershell.fyi/potassium-apt10-campaigns/
  5. ^ "APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat « APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat". FireEye.
  6. ^ "APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat « APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat". FireEye.
  7. ^ "Operation Cloud Hopper: What You Need to Know - Security News - Trend Micro USA". www.trendmicro.com.
  8. ^ "Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading". Carbon Black. May 9, 2017.
  9. ^ "Operation Cloud Hopper: What You Need to Know - Security News - Trend Micro USA". www.trendmicro.com.
  10. ^ "Chinese hackers allegedly stole data of more than 100,000 US Navy personnel". MIT Technology Review.
  11. ^ "US Navy Sailor Data 'Accessed by Unknown Individuals'". www.bankinfosecurity.com.
  12. ^ Manantan, Mark (September 2019). "The Cyber Dimension of the South China Sea Clashes" (58). The Diplomat. The Diplomat. Retrieved 5 September 2019.