| Names | APT7 |
| Location | China |
| Suspected attribution | China |
| Motivation | Steals intellectual property |
| Associated tools | DigDug, TRACKS |
Overview
APT7 engages in cyber operations where the goal is intellectual property theft, usually focusing on data and projects that make an organization competitive within its field. This group is known to have targeted organizations headquartered in the U.S. and U.K.
Targets
Construction, Aerospace, Engineering and defense industrial estate
Attack vectors
APT7 threat actors have used access to one organization to infiltrate another organization under the same corporate parent. This is a form of lateral movement, but in this case was also the initial compromise method for the second organization.
How they work
DigDug it is a library file that helps creates web driver service tunnels. It connects the current server with other cloud driver tunnels. While creating a new amendment in its server, an URL with a proxy server provides every access that are given to a legal account. This let the actors in dark and helps to exploit the server.
The cyber operation of intellectual property theft is to steal data of the appropriate companies that are involved in this line of work. They target the U.S and U.K countries which are already infiltrated but by other APT’s.
The attack vectors by the threat actor’s attacks two or more organization of a parent company which comes under their target, but also attacks other organizations that share their threat.
Indicators of Compromise (IOC)
- IP addresses:
- 176.34.146.10
- 176.34.146.11
- 176.34.146.12
- 176.34.146.13
- 176.34.146.14
- Domain names:
- a.apt7.biz
- b.apt7.biz
- c.apt7.biz
- d.apt7.biz
- e.apt7.biz
- File hashes:
- 5482598005525873334
- 6682888614648030960
- 7883188223870288576
- 8183487833092546176
- 8283787442314803776
