Red Apollo (also known as APT 10 (by

Mandiant Mandiant is an American cybersecurity firm and a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 bi ...

), MenuPass (by

Fireeye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigat ...

), Stone Panda (by

Crowdstrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in inves ...

), and POTASSIUM (by

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...

)) is a

Chinese Chinese can refer to: * Something related to China * Chinese people, people of Chinese nationality, citizenship, and/or ethnicity **''Zhonghua minzu'', the supra-ethnic concept of the Chinese nation ** List of ethnic groups in China, people of ...

state-sponsored cyberespionage group. A 2018 indictment by the

United States Department of Justice The United States Department of Justice (DOJ), also known as the Justice Department, is a federal executive department of the United States government tasked with the enforcement of federal law and administration of justice in the United Stat ...

claimed that the group is linked to the Tianjin State Security Bureau of

Chinese government The Government of the People's Republic of China () is an authoritarian political system in the People's Republic of China under the exclusive political leadership of the Chinese Communist Party (CCP). It consists of legislative, executive, m ...

's Ministry of State Security, operating since 2006. The team was designated by

as an

Advanced Persistent Threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...

. Fireeye states that they target aerospace, engineering, and telecom firms and any government that they believe is a rival of China. Fireeye stated that they could be targeting intellectual property from educational institutions such as a Japanese university and is likely to expand operations into the education sector in the jurisdictions of nations that are allied with the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territori ...

. Fireeye claimed that they were tracked since 2009, however because of the low-threat nature they had posed, they were not a priority. Fireeye now describes the group as "a threat to organizations worldwide."

Tactics

The group directly targets managed information technology service providers (MSPs) using RAT. The general role of an MSP is to help manage a company's computer network. MSPs were often compromised by Poison Ivy, FakeMicrosoft, PlugX, ArtIEF, Graftor, and ChChes, through the use of

spear-phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

emails.

History

2014 to 2017: Operation Cloud Hopper

Operation Cloud Hopper was an extensive attack and theft of information in 2017 directed at MSPs in the United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea and Australia. The group used MSP's as intermediaries to acquire assets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies. Operation Cloud Hopper used over 70 variants of backdoors, malware and

trojans Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * '' Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...

. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to persist in Microsoft Windows systems even if the computer system was rebooted. It installed malware and hacking tools to access systems and steal data.

2016 US Navy personnel data

Hackers accessed records relating to 130,000

US Navy The United States Navy (USN) is the maritime service branch of the United States Armed Forces and one of the eight uniformed services of the United States. It is the largest and most powerful navy in the world, with the estimated tonnage ...

personnel (out of 330,000). Under these actions the Navy decided to coordinate with

Hewlett Packard Enterprise Services DXC Technology is an American multinational information technology (IT) services and consulting company headquartered in Ashburn, Virginia. History DXC Technology was founded on April 3, 2017 when the Hewlett Packard Enterprise Company (HPE) ...

, despite warnings being given prior to the breach. All affected sailors were required to be notified.

2018 Indictments

A 2018 Indictment showed evidence that CVNX was not the name of the group, but was the alias of one of two hackers. Both used four aliases each to make it appear as if more than five hackers had attacked.

Post-Indictment activities

In April 2019 APT10 targeted government and private organizations in the

Philippines The Philippines (; fil, Pilipinas, links=no), officially the Republic of the Philippines ( fil, Republika ng Pilipinas, links=no), * bik, Republika kan Filipinas * ceb, Republika sa Pilipinas * cbk, República de Filipinas * hil, Republ ...

. In 2020 Symantec implicated Red Apollo in a series of attacks on targets in Japan. In March 2021, they targeted

Bharat Biotech Bharat Biotech International Limited (BBIL) is an Indian multinational biotechnology company headquartered in the city of Hyderabad, India engaged in the drug discovery, drug development, manufacture of vaccines, bio-therapeutics, pharmace ...

and the Serum Institute of India (SII), the world's largest vaccine maker's intellectual property for exfiltration.

References

{{Hacking in the 2010s Chinese advanced persistent threat groups Cyberwarfare by China Hacker groups Hacking in the 2000s Hacking in the 2010s Information technology in China Military units and formations established in the 2000s Ministry of State Security (China) Cybercrime in India