APT15 has targeted organizations headquartered in multiple locations, including a number of European countries, the U.S., and South Africa. APT15 operators share resources, including backdoors as well as infrastructure, with other Chinese APTs. Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted several industries, including oil, government, military, and more.
Name: Ke3chang (FireEye), Vixen Panda (CrowdStrike) APT 15 (Mandiant) GREF (SecureWorks) Bronze Palace (SecureWorks) Bronze Davenport (SecureWorks) Bronze Idlewood (SecureWorks) CTG-9246 (SecureWorks) Playful Dragon (FireEye) Royal APT (NCC Group) Metushy (?) Social Network Team (?)
Location: China
Suspected attribution: China – State-sponsored
Date of initial activity: 2010
Targets: Global targets in the trade, economic and financial, energy, and military sectors in support of Chinese government interests
Motivation: Information theft and espionage
Associated malware: BS2005, CarbonSteal, Cobalt Strike, DarthPusher, DoubleAgent, GoldenEagle, HenBox, HighNoon, Ketrican, Ketrum, Mimikatz, MirageFox, MS Exchange Tool, Okrum, PluginPhantom, ProcDump, PsList, RoyalCli, RoyalDNS, SilkBean, spwebmember, SpyWaller, TidePool, Winnti, XSLCmd, Living off the Land.
Attack vectors: APT15 typically uses well-developed spear phishing emails for Initial Compromise against global targets in various sectors that are of interest to the Chinese government. Significantly, APT15 use backdoors and infrastructure that is not unique to the group, making attribution challenging.
How they work: FireEye researchers have discovered a cyber espionage campaign, which they called “Ke3chang,” that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe. They believe that the Ke3chang attackers are operating out of China and have been active since at least 2010. However, we believe specific Syria-themed attacks against MFAs (codenamed by Ke3chang as “moviestar”) began only in August 2013. The timing of the attacks precedes a G20 meeting held in Russia that focused on the crisis in Syria.
Diplomatic missions, including ministries of foreign affairs (MFA), are high-priority targets for today’s cyber spies. Large-scale cyber espionage campaigns such as “GhostNet” have demonstrated that government agencies around the world, including embassies, are vulnerable to targeted cyber attacks.
The Ke3chang attackers have been active since at least 2010. Tracking their activity over time has revealed information on their targeting preferences and the malware tools they use. The attackers have used three types of malware over the years and have traditionally targeted the aerospace, energy, government, high-tech, consulting services, and chemicals/manufacturing/mining sectors.
