APT23 has stolen information that has political and military significance, rather than intellectual property. This suggests that APT23 may perform data theft in support of more traditional espionage operations.
Name: Tropic Trooper (Trend Micro), Pirate Panda (CrowdStrike), APT 23 (Mandiant), Iron (Microsoft), KeyBoy (Rapid7), Bronze Hobart (SecureWorks)
Location: China
Suspected attribution: State-sponsored
Date of initial activity: 2011
Targets: Media and government in the U.S. and the Philippines
Motivation: Information theft and espionage
Associated tools: NONGMIN, 8.t Dropper, CREDRIVER, KeyBoy, PCShare, Poison Ivy, ShadowPad Winnti, Titan, USBferry, Yahoyah, Winsloader.
Attack vectors: APT23 has used spear phishing messages to compromise victim networks, including education-related phishing lures. APT23 actors are not known to use zero-day exploits, but this group has leveraged those exploits once they have been made public.
How they work: Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.
BRONZE HOBART has actively targeted Tibetan activists and supporters using weaponized RTF documents that installed a PowerShell RAT dubbed ‘Pfine’. There are infrastructure and targeting overlaps between BRONZE HOBART and public reporting on KeyBoy, TropicTrooper and Pirate Panda. CTU researchers assess with moderate confidence that BRONZE HOBART operates on behalf of China.
