APT10 (MenuPass Group) is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations. PwC and BAE recently issued a joint blog detailing extensive APT10 activity.
In June 2016, FireEye iSIGHT intelligence first reported that APT10 expanded their operations. The group was initially detected targeting a Japanese university, and more widespread targeting in Japan was subsequently uncovered. Further collaboration between FireEye as a Service (FaaS), Mandiant and FireEye iSIGHT intelligence uncovered additional victims worldwide, a new suite of tools and novel techniques.
Leveraging its global footprint, FireEye has detected APT10 activity across six continents in 2016 and 2017. APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America; and multiple IT service providers worldwide. We believe these companies are a mix of final targets and organizations that could provide a foothold in a final target.
APT10 unveiled new tools in its 2016/2017 activity. In addition to the continued use of SOGU, the current wave of intrusions has involved new tools we believe are unique to APT10. HAYMAKER and SNUGRIDE have been used as first stage backdoors, while BUGJUICE and a customized version of the open source QUASARRAT have been used as second stage backdoors. These new pieces of malware show that APT10 is devoting resources to capability development and innovation.
This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. (For more information on infection via service providers see M-Trends 2016). APT10 spear phishes have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions (e.g. “[Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases simply identically named decoy documents and malicious launchers within the same archive.
In addition to the spear phishes, FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers. Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider’s customer. In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily. A notable instance of this observed by FireEye involved a SOGU backdoor that was set to communicate with its C2 through a server belonging to the victim’s service provider.
APT10 actors issued the following commands to a SOGU implant at a victim:
These commands included setting persistence on the victim’s system. The actor then tested connectivity to an IP managed by the victim’s service provider. Once connectivity to the service provider IP was verified, the actor established the service provider IP as a proxy for the victim’s SOGU backdoor. This effectively routes SOGU malware traffic through the victim’s service provider, which likely indicates a foothold on the service provider’s network. The tactic also serves to mask malicious C2 and exfiltration traffic and make it appear innocuous.
APT10 is a threat to organizations worldwide. Their abuse of access to service provider networks demonstrates that peripheral organizations continue to be of interest to a malicious actor – especially those seeking alternative angles of attack. We believe the pace of APT10 operations may slow following the public disclosure by the PwC/BAE blog; however, we believe they will return to their large-scale operations, potentially employing new tactics, techniques and procedures.