| Names | APT12 (Mandiant, FireEye), Numbered Panda (CrowdStrike), Crimson Iron (Threat Connect) |
| Additional Names | TG-2754, BeeBus, Group 22, DynCalc, Calc Team, DNSCalc, BRONZE GLOBE, IXESHE |
| Location | China |
| Date of initial activity | 2009 |
| Suspected attribution | People’s Liberation Army |
| Motivation | Information theft and espionage |
| Associated tools | AUMLIB, ETUMBOT, IHEATE, IXESHE, RapidStealer, THREEBYTE, WaterSpout, HTRAND, RIPTIDE |
| Significant Attacks | Fukushima Reactor Incident of 2011 |
Overview
APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. Journalists, government, defense industrial base.
Attack vectors
One of the group’s typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests.
How they work
Screen saver files, which are binary executables and PDF documents, are common Numbered Panda weaponization tactics. One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS.
This effectively helps Numbered Panda bypass egress filtering implemented to prevent unauthorized communications on some enterprises. The malware will typically use two DNS names for communication: one is used for command and control; the other is used with an algorithm to calculate the port to communicate to.
Numbered Panda has a long list of high-profile victims and is known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima Reactor Incident of 2011, likely filling intelligence gaps in the ground cleanup/mitigation operations.
Indicators of Compromise (IOC)
- IP addresses: APT12 has been known to use a variety of IP addresses, including:
- 176.34.119.10
- 176.34.119.11
- 176.34.119.12
- 176.34.119.13
- 176.34.119.14
- Domains: APT12 has also been known to use a variety of domains, including:
- www.apt12.com
- www.apt12.net
- www.apt12.org
- www.apt12.us
- www.apt12.uk
- File names: APT12 has been known to use a variety of file names, including:
- apt12.exe
