
Names | APT 20 (FireEye), APT 8 (Mandiant), Violin Panda (Crowdstrike), TH3Bug (Palo Alto), Twivy. |
Location | China |
Date of initial activity | 2014 |
Suspected attribution | This group could be related to Axiom, Group 72 |
Motivation | Information theft and espionage – Monitoring |
Associated tools | QIAC, SOGU, Gh0st, ZXSHELL, Poison Ivy, BEACON, HOMEUNIX, STEW. BloodHound, KeeThief, Kerberoast, Mimikatz, PlugX, Poison Ivy, ProcDump, PsExec, SharpHound, SMBExec, WinRAR, XServer, Living off the Land. |
Overview
APT20 engages in cyber operations where the goal is data theft. APT 20 conducts intellectual property theft but also appears interested in stealing data from or monitoring the activities of individuals with particular political interests. Based on available data, we assess that this is a freelancer group with some nation state sponsorship located in China.
Targets
Construction and engineering, health care, non-profit organizations, defense industrial base and chemical research and production companies. Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, Thailand, UK, USA and East Asia.
Attack vectors
APT20’s use of strategic web compromises provides insight into a second set of likely targets. Many of APT20 SWCs have been hosted on web sites (including Chinese-language websites) that deal with issues such as democracy, human rights, freedom of the press, ethnic minorities in China, and other issues.
How they work
Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors.
These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access. In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.
References:
- Advanced Persistent Threats (APTs) – APT20
- APT20
- Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy
- Threat Actor Map