APT17 (G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
Name: Tailgater Team (Symantec), Elderwood (Symantec), Elderwood Gang (Symantec), Sneaky Panda (CrowdStrike), SIG22 (NSA), Beijing Group (SecureWorks), Bronze Keystone (SecureWorks), TG-8153 (SecureWorks), TEMP.Avengers (FireEye), Dogfish (iDefense), Deputy Dog (iDefense), ATK 2 (Thales)
Location: China
Suspected attribution: State-sponsored, Jinan bureau of the Chinese Ministry of State Security
Date of initial activity: 2009
Targets: U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
Motivation: Espionage
Associated tools: 9002 RAT, BlackCoffee, Briba, Comfoo, DeputyDog, Gh0st RAT, HiKit, Jumpall, Linfo, Naid, Nerex, Pasam, Poison Ivy, PlugX, Vasport, Wiarp, ZoxPNG, ZoxRPC and several 0-days for IE.
Attack vectors: Created profile pages in Microsoft TechNet that were used as C2 infrastructure. Created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads.
How they work: FireEye has discovered a campaign leveraging the an announced zero-day CVE-2013-3893. This campaign, which was labeled ‘Operation DeputyDog’, began as early as August 19, 2013 and appears to have targeted organizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor responsible for this campaign. Analysis based on their Dynamic Threat Intelligence cluster shows that this current campaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on Bit9.
