APT5 has been active since at least 2007. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications.
As early as 2014, Mandiant Incident Response discovered APT5 making unauthorized code modifications to files in the embedded operating system of another technology platform. In 2015, APT5 compromised a U.S. telecommunications organization providing services and technologies for private and government entities. During this intrusion, the actors downloaded and modified some of the router images related to the company’s network routers.
Also during this time, APT5 stole files related to military technology from a South Asian defense organization. Observed filenames suggest the actors were interested in product specifications, emails concerning technical products, procurement bids and proposals, and documents on unmanned aerial vehicles (UAVs).
Name: APT 5 (FireEye), Keyhole Panda (CrowdStrike), TEMP.Bottle (iSight), Bronze Fleetwood (SecureWorks), TG-2754 (SecureWorks), Poisoned Flight (Kaspersky)
Location: China
Suspected attribution: China
Date of initial activity: 2007
Targets: Defense, High-Tech, Industrial, Technology, Telecommunications. Countries: Southeast Asia. Regional telecommunication providers, Asia-based employees of global telecommunications and tech firms, high-tech manufacturing, and military application technology in the U.S., Europe, and Asia.
Motivation: Information theft and espionage
Associated malware: Binanen, Comfoo, Gh0st RAT, Isastart, Leouncia, OrcaRAT, PcShare, Skeleton Key, SlyPidgin, VinSelf.
Attack vectors: It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. The group uses malware with keylogging capabilities to specifically target telecommunication companies’ corporate networks, employees and executives. APT5 has shown significant interest in compromising networking devices and manipulating the underlying software that supports these appliances.
BRONZE FLEETWOOD is a threat group that CTU researchers assess with moderate confidence operates on behalf of China. The group has previously been observed using both the Leouncia and VinSelf tool kits to target organizations in the aerospace and communications sectors. The intent of the group is likely theft of information from targeted networks. There is strong overlap between the tools and infrastructure used by BRONZE FLEETWOOD and a threat group publicly reported by Secureworks dubbed Comfoo.
How they work: Leouncia is a powerful backdoor that is designed to take complete control over the infected machine. Similar to Vinself, Leouncia also uses HTTP to carry its custom obfuscated payload. Leouncia’s obfuscation techniques far more sophisticated than what found within Vinself.
Moreover, Leouncia tries its best to hide its presence from signature based sensors. It generates its http communication randomly by using varying levels of system information in conjunction with Windows random number generation APIs. The result is that every instance of its C&C communication will be different from the previous one.
