|Names||APT3, UPS Team, Buckeye, Gothic Panda|
|Additional Names||Pirpi, Threat Group-0110, TG-0110|
|Date of initial activity||2009|
|Suspected attribution||Ministry of State Security – China|
|Associated tools||SHOTPUT, COOKIECUTTER, SOGU, LaZagne, OSInfo, PlugX, RemoteCMD, schtasks|
|Significant Attacks||Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap|
Is a China-based threat group that researchers have attributed to China’s Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.
The Buckeye attack group had been active since at least 2009, when it began mounting a string of espionage attacks, mainly against organizations based in the U.S.
Although other zero-day attacks have been reported, they have not been confirmed by Symantec. All zero-day exploits known, or suspected, to have been used by this group are for vulnerabilities in Internet Explorer and Flash.
The China-based threat group, FireEye tracks as APT3, is one of the more sophisticated threat groups that FireEye Threat Intelligence tracks, and they have a history of using browser-based exploits as zero-days (e.g., Internet Explorer, Firefox, and Adobe Flash Player).
After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3’s command and control (CnC) infrastructure is difficult to track, as there is little overlap across campaigns.
Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications, Transportation
The phishing emails used by APT3 are usually generic in nature, almost appearing to be spam. Attacks have exploited an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files. The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP).
A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.
How they work
Indicators of Compromise (IOC)
- IP addresses:
- Domain names:
- File hashes: