APT19 (G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT 19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.
Name:APT19 (FireEye), C0d0s0, Deep Panda (CrowdStrike), Pupa (Symantec), TG-3551 (SCWX CTU), BRONZE FIRESTONE (SecureWorks).
Location: China
Suspected attribution: A group likely composed of freelancers, with some degree of sponsorship by the Chinese government. (FireEye)
Date of initial activity: 2010- 2013
Targets: A variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services
Motivation: Information theft and espionage
Associated tools: C0d0so0, Cobalt Strike, EmpireProject, Derusbi and a 0-day for Flash.
Attack vectors: Application Layer Protocol: Web Protocols – APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.
How they work: In 2013, Breach of the US Department of Labor website – CrowdStrike was alerted to a strategic web compromise on a US Department of Labor website that was redirecting visitors to an attacker’s infrastructure. Eight other compromised sites were also reported to be similarly compromised with the data suggesting that this campaign began in mid-March.
The group has been active since at least 2010, when their tools were delivered through a strategic web compromise of the Nobel Peace Prize website that leveraged a 0-day in the Firefox browser.
BRONZE FIRESTONE appears to have access to the Derusbi source code, on the basis that it was observed deploying slightly modified versions of the tool immediately after previous versions had been removed from compromised hosts.
The group has also used PlugX, 9002 (aka NAID), Alice’s Rabbit Hole (MadHatter), Briba and Zuguo (aka Chinoxy) and is known to use cloud infrastructure from Google, Amazon web services and Dropbox for command and control. In the past BRONZE FIRESTONE infrastructure has overlapped with that of BRONZE KEYSTONE and BRONZE UNION. From January 2017, BRONZE FIRESTONE was also observed delivering cryptomining tools to compromised hosts. As of late 2017, the group was targeting legal firms for data exfiltration and technology providers for command and control infrastructure building.
