Red Apollo (also known as APT 10 (by
Mandiant), MenuPass (by
Fireeye), Stone Panda (by
Crowdstrike), and POTASSIUM (by
Microsoft)) is a
Chinese state-sponsored
cyberespionage
Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information from individuals, competitors, rivals, groups, governments and enemies for personal, ...
group. A 2018 indictment by the
United States Department of Justice claimed that the group is linked to the Tianjin State Security Bureau of
Chinese government's
Ministry of State Security, operating since 2006.
The team was designated by
Fireeye as an
Advanced Persistent Threat. Fireeye states that they target aerospace, engineering, and telecom firms and any government that they believe is a rival of
China
China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...
.
Fireeye stated that they could be targeting intellectual property from educational institutions such as a Japanese university and is likely to expand operations into the education sector in the jurisdictions of nations that are allied with the
United States.
Fireeye claimed that they were tracked since 2009, however because of the low-threat nature they had posed, they were not a priority. Fireeye now describes the group as "a threat to organizations worldwide."
Tactics
The group directly targets managed information technology service providers (MSPs) using
RAT
Rats are various medium-sized, long-tailed rodents. Species of rats are found throughout the order Rodentia, but stereotypical rats are found in the genus ''Rattus''. Other rat genera include ''Neotoma'' ( pack rats), ''Bandicota'' (bandicoot ...
. The general role of an MSP is to help manage a company's computer network. MSPs were often compromised by Poison Ivy, FakeMicrosoft, PlugX, ArtIEF,
Graftor
Hupigon (also Graftor) detected as (Backdoor.Win32.Hupigon, Trojan.Win32.Hupigon, Backdoor.Win32.Graftor, and Trojan.Win32.Graftor) is a backdoor Trojan. Its first known detection goes back to November 2008, according to Securelist from Kaspersk ...
, and ChChes, through the use of
spear-phishing emails.
History
2014 to 2017: Operation Cloud Hopper
Operation Cloud Hopper was an extensive attack and theft of information in 2017 directed at MSPs in the United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea and Australia. The group used MSP's as intermediaries to acquire assets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.
Operation Cloud Hopper used over 70 variants of backdoors,
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
and
trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to persist in
Microsoft Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
systems even if the computer system was rebooted. It installed malware and hacking tools to access systems and steal data.
2016 US Navy personnel data
Hackers accessed records relating to 130,000
US Navy personnel (out of 330,000). Under these actions the Navy decided to coordinate with
Hewlett Packard Enterprise Services, despite warnings being given prior to the breach. All affected sailors were required to be notified.
2018 Indictments
A 2018 Indictment showed evidence that CVNX was not the name of the group, but was the alias of one of two hackers. Both used four aliases each to make it appear as if more than five hackers had attacked.
Post-Indictment activities
In April 2019 APT10 targeted government and private organizations in the
Philippines.
In 2020 Symantec implicated Red Apollo in a series of attacks on targets in Japan.
In March 2021, they targeted
Bharat Biotech and the
Serum Institute of India (SII), the world's largest vaccine maker's intellectual property for
exfiltration.
See also
*
China–United States relations
The relationship between the People's Republic of China (PRC) and the United States of America (USA) has been complex since 1949 with mutual distrust leading to complications. The relationship is one of close economic ties (economic ties grew ...
*
Cyberwarfare by China
References
{{Hacking in the 2010s
Chinese advanced persistent threat groups
Cyberwarfare by China
Hacker groups
Hacking in the 2000s
Hacking in the 2010s
Information technology in China
Military units and formations established in the 2000s
Ministry of State Security (China)
Cybercrime in India