APT18 (G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.
Name: APT 18 (Mandiant), Dynamite Panda (CrowdStrike), TG-0416 (SecureWorks), Wekby (Palo Alto), Scandium (Microsoft)
Location: China
Suspected attribution: State-sponsored, PLA Navy – Related to Night Dragon and/or Nitro, Covert Grove.
Date of initial activity: 2009
Targets: Aerospace, Construction, Defense, Education, Engineering, Healthcare, High-Tech, Telecommunications, Transportation and Biotechnology in USA.
Motivation: Information theft and espionage
Associated tools: AtNow, Gh0st RAT, hcdLoader, HTTPBrowser, Pisloader, StickyFingers and 0-day exploits for Flash.
Attack vectors:
- Application Layer Protocol: Web Protocols – APT18 uses HTTP for C2 communications.
- Application Layer Protocol: DNS – APT18 uses DNS for C2 communications.
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.
- Command and Scripting Interpreter: Windows Command Shell – APT18 uses cmd.exe to execute commands on the victim’s machine.
How they work: Frequently developed or adapted zero-day exploits for operations, which were likely planned in advance. Used data from Hacking Team leak, which demonstrated how the group can shift resources (i.e. selecting targets, preparing infrastructure, crafting messages, updating tools) to take advantage of unexpected opportunities like newly exposed exploits.
Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of Hacking Team’s Flash zero-day exploit.’
TG-0416 focused on breaching technology, manufacturing, and government verticals. In 2012, the threat actors transitioned to compromising the healthcare vertical and have continued uninterrupted through 2015. In addition, TG-0416 victimized utility and membership verticals in early 2013. CTU researchers assess with high confidence that TG-0416 will continue to compromise enterprises across numerous verticals.
While the data used in Figure 1 only represents TG-0416 activity observed by CTU researchers, it demonstrates that threat groups victimizing a particular vertical today may infiltrate new verticals tomorrow. Organizations should never dismiss the threat from groups that seem to only target other verticals. CTU researchers recommend carefully mapping threat group tactics, techniques, and procedures (TTPs) to security controls and planning mitigation strategies as feasible.
