APT20 engages in cyber operations where the goal is data theft. APT 20 conducts intellectual property theft but also appears interested in stealing data from or monitoring the activities of individuals with particular political interests. Based on available data, we assess that this is a freelancer group with some nation state sponsorship located in China.
Name: APT 20 (FireEye), APT 8 (Mandiant), Violin Panda (Crowdstrike), TH3Bug (Palo Alto), Twivy.
Location: China
Suspected attribution: This group could be related to Axiom, Group 72
Date of initial activity: 2014
Targets: Construction and engineering, health care, non-profit organizations, defense industrial base and chemical research and production companies. Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, Thailand, UK, USA and East Asia.
Motivation: Information theft and espionage – Monitoring
Associated tools: BloodHound, KeeThief, Kerberoast, Mimikatz, PlugX, Poison Ivy, ProcDump, PsExec, SharpHound, SMBExec, WinRAR, XServer, Living off the Land.
Attack vectors: APT20’s use of strategic web compromises provides insight into a second set of likely targets. Many of APT20 SWCs have been hosted on web sites (including Chinese-language websites) that deal with issues such as democracy, human rights, freedom of the press, ethnic minorities in China, and other issues.
How they work: Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access. In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.
May be related to Wocao Operation reported by fox-it.com.
