|Names||APT17 (Mandiant), Sneaky Panda (CrowdStrike), Bronze Keystone (SecureWorks), Elderwood (Symantec)|
|Additional Names||Tailgater Team (Symantec), Elderwood Gang (Symantec), SIG22 (NSA), Beijing Group (SecureWorks), TG-8153 (SecureWorks), TEMP.Avengers (FireEye), Dogfish (iDefense), Deputy Dog (iDefense), ATK 2 (Thales)|
|Date of initial activity||2009|
|Suspected attribution||State-sponsored, Jinan bureau of the Chinese Ministry of State Security|
|Motivation||Information theft and espionage|
|Associated tools||9002 RAT, BlackCoffee, Briba, Comfoo, DeputyDog, Gh0st RAT, HiKit, Jumpall, Linfo, Naid, Nerex, Pasam, Poison Ivy, PlugX, Vasport, Wiarp, ZoxPNG, ZoxRPC and several 0-days for IE.|
APT17 (G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
Created profile pages in Microsoft TechNet that were used as C2 infrastructure. Created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads.
How they work
FireEye has discovered a campaign leveraging the an announced zero-day CVE-2013-3893. This campaign, which was labeled ‘Operation DeputyDog’, began as early as August 19, 2013 and appears to have targeted organizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor responsible for this campaign. Analysis based on their Dynamic Threat Intelligence cluster shows that this current campaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on Bit9.