APT21 leverages strategic Russian-language attachments themed with national security issues in lure documents. Historically, social engineering content is indicative of a cyber espionage operation attempting to gain unauthorized access to privileged information concerning state security in Russia. An analysis of APT21 techniques suggests that another of their focus areas is dissident groups which seek greater autonomy or independence from China, such as those from Tibet or Xinjiang.
Name: Zhenbao, NetTraveler (Kaspersky), APT 21 (Mandiant), Hammer Panda (CrowdStrike), TEMP.Zhenbao (FireEye)
Location: China
Suspected attribution: The later group RedAlpha has infrastructure overlap with NetTraveler.
Date of initial activity: 2003/04
Targets: Government. Defense, Embassies, Government, Oil and gas and Scientific research centers and institutes and Tibetan/Uyghur activists.
Motivation: Information theft and espionage
Associated tools: NetTraveler, PlugX.
Attack vectors: Hammer Panda is a group of suspected Chinese origin targeting organizations in Russia.
How they work: APT21 leverages spear phishing email messages with malicious attachment, links to malicious files, or web pages. They have also used strategic web compromises (SWCs) to target potential victims. APT21 frequently uses two backdoors known as TRAVELNET (NetTraveler) and TEMPFUN. Significantly, APT21 typically primarily uses custom backdoors, rarely using publicly available tools.
The main tool used by the threat actors during these attacks is NetTraveler, a malicious program used for covert computer surveillance. The name NetTraveler comes from an internal string which is present in early versions of the malware: NetTraveler Is Running! This malware is used by APT actors for basic surveillance of their victims. Earliest known samples have a timestamp of 2005, although references exist indicating activity as early as 2004. The largest number of samples we observed were created between 2010 and 2013.
