We've heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant's APT1 report in 2013, there's been a continuous stream of exposure of nation-state hacking at scale.
Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they're less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we're going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.
Today, we're beginning with APT10. (Note: These groups have a panoply of different names, but for simplicity's sake, we're going to borrow Mandiant's naming conventions for Chinese groups.)
Who is APT10?
First observed in 2009, APT10 is most commonly attributed via open source research to the Chinese Ministry of State Security (MSS). MSS attacks are typically, but not limited to: intelligence targets surrounding trade negotiations, research and development in competition with Chinese commercial entities, and high value counter intelligence targets overseas. As an example of a trade negotiation op, Fidelis Security observed a watering hole attack in February 2017 targeting members of the National Foreign Trade Council, a US trade lobby group.
A commonly-used tool of APT10 is Scanbox, which is a form of malware that can offer insights into their targeting priorities. Scanbox has been observed on assorted industrial sector targets in the US and Japan, but also on Uighur dissidents overseas. While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs.
Malware commonly deployed
APT10 is known for deploying the following malware:
Note: Variants of PlugX and Poison Ivy were developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone.
Should you be worried?
That depends on the type of organization you run. APT10 has been observed to most commonly target construction, engineering, aerospace, and regional telecoms, as well as traditional government targets. If your company exists outside these verticals, it's unlikely that APT10 would expend the time and resources to target you. For companies outside the targeting profile, it's much more cost effective to spend defense budgets on common vulnerabilities that are most leveraged by common attackers.
What might they do next?
Like most APTs, APT10 has traditionally targeted at scale when attacking commercial enterprise. However, a more recent report by Price Waterhouse Cooper and BAE Systems suggests that they've begin devoting a portion of their operations to targeting Managed Service Providers (MSPs), most likely in an attempt to exfiltrate sensitive client data. Given that there's been increasing awareness of advanced threats by high-value targets, continuing to target MSPs in this way is a plausible means of obtaining the same desired data at a lesser cost.
If you'd like to do some additional reading on APTs, and specifically APT10, take a look at the following resources: