Movatterモバイル変換

[0]ホーム

Jump to content

Red Apollo

Edit links

From Wikipedia, the free encyclopedia

Chinese cyberespionage group

This article is about the threat actor. For the butterfly, seeParnassius epaphus. For the element, seePotassium.

Red Apollo
Formation	c. 2003–2005 [1]
Type	Advanced persistent threat
Purpose	Cyberespionage,cyberwarfare
Region	China
Methods	Zero-days,Phishing,backdoor (computing),RAT,Keylogging
Official language	Chinese
Parent organization	Tianjin State Security Bureau of theMinistry of State Security
Formerly called	APT10 Stone Panda MenuPass RedLeaves CVNX POTASSIUM

Red Apollo (also known asAPT 10 byMandiant,MenuPass byFireeye,Stone Panda byCrowdstrike, andPOTASSIUM byMicrosoft)^[1]^[2] is aChinese state-sponsoredcyberespionage group which has operated since 2006. In a 2018 indictment, theUnited States Department of Justice attributed the group to theTianjin State Security Bureau of theMinistry of State Security.^[3]

The team was designated anadvanced persistent threat by Fireeye, who reported that they target aerospace, engineering, and telecom firms and any government that they believe is a rival ofChina.

Fireeye stated that they could be targeting intellectual property from educational institutions such as a Japanese university and is likely to expand operations into the education sector in the jurisdictions of nations that are allied with theUnited States.^[4] Fireeye claimed that they were tracked since 2009, however because of the low-threat nature they had posed, they were not a priority. Fireeye now describes the group as "a threat to organizations worldwide."^[4]

Tactics

[edit]

The group directly targets managed information technology service providers (MSPs) usingRAT. The general role of an MSP is to help manage a company's computer network. MSPs were often compromised by Poison Ivy, FakeMicrosoft, PlugX, ArtIEF,Graftor, and ChChes, through the use ofspear-phishing emails.^[5]

History

[edit]

2014 to 2017: Operation Cloud Hopper

[edit]

Operation Cloud Hopper was an extensive attack and theft of information in 2017 directed at MSPs in the United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea and Australia. The group used MSP's as intermediaries to acquire assets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors,malware andtrojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to persist inMicrosoft Windows systems even if the computer system was rebooted. It installed malware and hacking tools to access systems and steal data.^[5]

2016 US Navy personnel data

[edit]

Hackers accessed records relating to 130,000US Navy personnel (out of 330,000).^[6] Under these actions the Navy decided to coordinate withHewlett Packard Enterprise Services, despite warnings being given prior to the breach.^[7] All affected sailors were required to be notified.

2018 Indictments

[edit]

A 2018 Indictment showed evidence that CVNX was not the name of the group, but was the alias of one of two hackers. Both used four aliases each to make it appear as if more than five hackers had attacked.

Post-Indictment activities

[edit]

In April 2019 APT10 targeted government and private organizations in thePhilippines.^[8]

In 2020 Symantec implicated Red Apollo in a series of attacks on targets in Japan.^[9]

In March 2021, they targetedBharat Biotech and theSerum Institute of India (SII), the world's largest vaccine maker's intellectual property forexfiltration.^[10]

References

[edit]

^"APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat".FireEye.Archived from the original on 2021-04-28. Retrieved2021-03-07.
^Kozy, Adam (2018-08-30)."Two Birds, One STONE PANDA".Archived from the original on 2021-01-15. Retrieved2021-03-07.
^"Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information".United States Department of Justice. 2018-12-20.Archived from the original on 2021-05-01. Retrieved2021-03-07.
^^a ^b"APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat « APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat".FireEye. April 6, 2017.Archived from the original on April 28, 2021. RetrievedJune 30, 2019.
^^a ^b"Operation Cloud Hopper: What You Need to Know - Security News - Trend Micro USA".trendmicro.com. April 10, 2017.Archived from the original on June 30, 2019. RetrievedJune 30, 2019.
^"Chinese hackers allegedly stole data of more than 100,000 US Navy personnel".MIT Technology Review.Archived from the original on 2019-06-18. Retrieved2019-06-30.
^"US Navy Sailor Data 'Accessed by Unknown Individuals'".bankinfosecurity.com.Archived from the original on 2019-06-30. Retrieved2019-07-12.
^Manantan, Mark (September 2019)."The Cyber Dimension of the South China Sea Clashes". No. 58. The Diplomat. The Diplomat.Archived from the original on 17 February 2016. Retrieved5 September 2019.
^Lyngaas, Sean (17 November 2020)."Symantec implicates APT10 in sweeping hacking campaign against Japanese firms".www.cyberscoop.com. Cyberscoop.Archived from the original on 18 November 2020. Retrieved19 November 2020.
^N. Das, Krishna (1 March 2021)."Chinese hacking group Red Apollo (APT10) had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India (SII), the world's largest vaccine maker".Reuters.Archived from the original on 3 May 2021. Retrieved1 March 2021.

Hacking in the 2010s

← 2000s

Timeline

2020s →

Major incidents

2010	Operation Aurora (publication of 2009 events) Australian cyberattacks Operation Olympic Games Operation ShadowNet Operation Payback
2011	Canadian government DigiNotar DNSChanger HBGary Federal Operation AntiSec PlayStation network outage RSA SecurID compromise
2012	LinkedIn hack Stratfor email leak Operation High Roller
2013	South Korea cyberattack Snapchat hack Cyberterrorism attack of June 25 2013 Yahoo! data breach Singapore cyberattacks
2014	Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach 2014 Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach
2015	Office of Personnel Management data breach HackingTeam Ashley Madison data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack
2016	Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack
2017	SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya and NotPetya 2017 Ukraine ransomware attacks Equifax data breach Deloitte breach Disqus breach
2018	Trustico Atlanta cyberattack SingHealth data breach
2019	Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack WhatsApp snooping scandal Jeff Bezos phone hacking incident

Hacktivism

Groups

Individuals

Majorvulnerabilities
publiclydisclosed

Evercookie (2010)
iSeeYou (2013)
Heartbleed (2014)
Shellshock (2014)
POODLE (2014)
Rootpipe (2014)
Row hammer (2014)
SS7 vulnerabilities (2014)
WinShock (2014)
JASBUG (2015)
Stagefright (2015)
DROWN (2016)
Badlock (2016)
Dirty COW (2016)
Cloudbleed (2017)
Broadcom Wi-Fi (2017)
EternalBlue (2017)
DoublePulsar (2017)
Silent Bob is Silent (2017)
KRACK (2017)
ROCA vulnerability (2017)
BlueBorne (2017)
Meltdown (2018)
Spectre (2018)
EFAIL (2018)
Exactis (2018)
Speculative Store Bypass (2018)
Lazy FP state restore (2018)
TLBleed (2018)
SigSpoof (2018)
Foreshadow (2018)
Dragonblood (2019)
Microarchitectural Data Sampling (2019)
BlueKeep (2019)
Kr00k (2019)

Malware

2010	Bad Rabbit Black Energy 2 SpyEye Stuxnet
2011	Coreflood Alureon Duqu Kelihos Metulji botnet Stars
2012	Carna Dexter FBI Flame Mahdi Red October Shamoon
2013	CryptoLocker DarkSeoul
2014	Brambul Black Energy 3 Carbanak Careto DarkHotel Duqu 2.0 FinFisher Gameover ZeuS Regin
2015	Dridex Hidden Tear Rombertik TeslaCrypt
2016	Hitler Jigsaw KeRanger Necurs MEMZ Mirai Pegasus Petya and NotPetya X-Agent
2017	BrickerBot Kirk LogicLocker Rensenware Triton WannaCry XafeCopy
2018	VPNFilter
2019	Grum Joanap NetTraveler R2D2 Tinba Titanium ZeroAccess botnet

Ministry of State Security

(MSS Headquarters:Yidongyuan, Xiyuan,Haidian District,Beijing, China)

Organization

Headquarters bureaus	Confidential Communication International Intelligence Political & Economic Intelligence Taiwan, Hong Kong and Macao Analysis and Dissemination Operational Guidance Counterespionage Counterespionage Investigation Internal Security External Security CICIR Social Investigation Bureau CICEC CNITSEC CNNVD Technical Reconnaissance Institute of Taiwan Studies Imaging Intelligence Enterprises United States California Counterterrorism
Municipal bureaus	Beijing Detention Center Chongqing Shanghai Tianjin
Provincial departments	Anhui Fujian Gansu Guangdong Guizhou Hainan Hebei Heilongjiang Henan Hubei Hunan Jiangsu Jiangxi Jilin Liaoning Qinghai Shaanxi Shandong Shanxi Sichuan Yunnan Zhejiang
Departments in autonomous regions	Guangxi Inner Mongolia Ningxia Tibet Xinjiang XPCC
Schools	University of International Relations Hangzhou [zh] Jiangnan Social University
Research institutes	Nanjing Institute of Information Technology
Front organizations	Nanshan Temple Guanyin of Nanshan China Institute for Innovation and Development Strategy China National Technical Import and Export Corporation
Other components	State Security Police