Red Apollo

Last updated
Red Apollo
Formationc. 2003–2005
Type Advanced persistent threat
Purpose Cyberespionage, cyberwarfare
Region
China
Methods Zero-days, Phishing, backdoor (computing), RAT, Keylogging
Official language
Chinese
Parent organization
 Tianjin State Security Bureau of the Ministry of State Security
Formerly called
APT10
Stone Panda
MenuPass
RedLeaves
CVNX
POTASSIUM

Red Apollo (also known as APT 10 (by Mandiant), MenuPass (by Fireeye), Stone Panda (by Crowdstrike), and POTASSIUM (by Microsoft)) [1] [2] is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security. [3]

Contents

The team was designated an advanced persistent threat by Fireeye, who reported that they target aerospace, engineering, and telecom firms and any government that they believe is a rival of China.

Fireeye stated that they could be targeting intellectual property from educational institutions such as a Japanese university and is likely to expand operations into the education sector in the jurisdictions of nations that are allied with the United States. [4] Fireeye claimed that they were tracked since 2009, however because of the low-threat nature they had posed, they were not a priority. Fireeye now describes the group as "a threat to organizations worldwide." [4]

Tactics

The group directly targets managed information technology service providers (MSPs) using RAT. The general role of an MSP is to help manage a company's computer network. MSPs were often compromised by Poison Ivy, FakeMicrosoft, PlugX, ArtIEF, Graftor, and ChChes, through the use of spear-phishing emails. [5]

History

2014 to 2017: Operation Cloud Hopper

Operation Cloud Hopper was an extensive attack and theft of information in 2017 directed at MSPs in the United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea and Australia. The group used MSP's as intermediaries to acquire assets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to persist in Microsoft Windows systems even if the computer system was rebooted. It installed malware and hacking tools to access systems and steal data. [5]

2016 US Navy personnel data

Hackers accessed records relating to 130,000 US Navy personnel (out of 330,000). [6] Under these actions the Navy decided to coordinate with Hewlett Packard Enterprise Services, despite warnings being given prior to the breach. [7] All affected sailors were required to be notified.

2018 Indictments

A 2018 Indictment showed evidence that CVNX was not the name of the group, but was the alias of one of two hackers. Both used four aliases each to make it appear as if more than five hackers had attacked.

Post-Indictment activities

In April 2019 APT10 targeted government and private organizations in the Philippines. [8]

In 2020 Symantec implicated Red Apollo in a series of attacks on targets in Japan. [9]

In March 2021, they targeted Bharat Biotech and the Serum Institute of India (SII), the world's largest vaccine maker's intellectual property for exfiltration. [10]

See also

Related Research Articles

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.

Author - Sidharth Lakra

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

Carbanak is an APT-style campaign targeting financial institutions, that was discovered in 2014 by the Russian cyber security company Kaspersky Lab. It utilizes malware that is introduced into systems running Microsoft Windows using phishing emails, which is then used to steal money from banks via macros in documents. The hacker group is said to have stolen over 900 million dollars, from the banks as well as from over a thousand private customers.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.

Advanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the government of Iran. The group has also been called Elfin Team, Refined Kitten, Magnallium, Peach Sandstorm, and Holmium.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

OceanLotus, also known as APT32, BISMUTH, or Canvas Cyclone, is a hacker group associated with the government of Vietnam. It has been accused of cyberespionage targeting political dissidents, government officials, and businesses with ties to Vietnam.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

The Nitro hacking attacks were a targeted malware campaign in 2011 suspected to be a case of corporate espionage. At least 48 confirmed companies were infected with a Trojan called Poison Ivy that transferred intellectual property to remote servers. Much of the information known about these attacks comes from a white paper published by cybersecurity company Symantec.

References

  1. "APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat". FireEye. Archived from the original on 2021-04-28. Retrieved 2021-03-07.
  2. Kozy, Adam (2018-08-30). "Two Birds, One STONE PANDA". Archived from the original on 2021-01-15. Retrieved 2021-03-07.
  3. "Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information". United States Department of Justice . 2018-12-20. Archived from the original on 2021-05-01. Retrieved 2021-03-07.
  4. 1 2 "APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat « APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat". FireEye. April 6, 2017. Archived from the original on April 28, 2021. Retrieved June 30, 2019.
  5. 1 2 "Operation Cloud Hopper: What You Need to Know - Security News - Trend Micro USA". trendmicro.com. April 10, 2017. Archived from the original on June 30, 2019. Retrieved June 30, 2019.
  6. "Chinese hackers allegedly stole data of more than 100,000 US Navy personnel". MIT Technology Review. Archived from the original on 2019-06-18. Retrieved 2019-06-30.
  7. "US Navy Sailor Data 'Accessed by Unknown Individuals'". bankinfosecurity.com. Archived from the original on 2019-06-30. Retrieved 2019-07-12.
  8. Manantan, Mark (September 2019). "The Cyber Dimension of the South China Sea Clashes". No. 58. The Diplomat. The Diplomat. Archived from the original on 17 February 2016. Retrieved 5 September 2019.
  9. Lyngaas, Sean (17 November 2020). "Symantec implicates APT10 in sweeping hacking campaign against Japanese firms". www.cyberscoop.com. Cyberscoop. Archived from the original on 18 November 2020. Retrieved 19 November 2020.
  10. N. Das, Krishna (1 March 2021). "Chinese hacking group Red Apollo (APT10) had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India (SII), the world's largest vaccine maker". Reuters . Archived from the original on 3 May 2021. Retrieved 1 March 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.