On December 20, 2018, the United States government confirmed that widespread and malicious cybertheft is being perpetrated by a Chinese group known as Advanced Persistent Threat 10 or APT 10. The revelation came with the unsealing of an indictment in a Manhattan federal court. The group is said to be “operating on behalf of the Chinese Ministry of State Security.”
APT 10 has been known to attempt attacks on the energy sector, as well as various other industries critical to U.S. infrastructure. Here’s what you need to know about them.
They are NOT new to cyber threats. The group has been active and operating for the last years. Evidence of their activity has been documented in at least twelve different countries including the United States.
They have targets in mind. APT 10 is infamous for going after both global managed service providers and cloud service providers. Clients of these companies have also been targeted. Specifically, the cyber actors seem to be attracted to companies that are necessary to the country’s infrastructure. The energy, information technology, communications, and healthcare industries have all been targeted in the past.
They want information. Confidential information and intellectual property are most commonly thieved by APT 10. Experts posit that stealing this information gives China an unfair advantage in the ever-threatening technology race, as the country will not have to allocate funds to research and development already completed by U.S. companies.
They initiate the attack via email. The group is said to operate in a series of steps. First, they gain access to administrative credentials like usernames and passwords. Next, they create fake emails utilizing those credentials in an effort to gain the trust of their intended recipient. Each email contained a mix of custom and ready-made malware that was granted access when the recipient opened files attached to the fake email. The entire process is known as “spear-fishing.”
You didn’t have to receive the email to be affected: The APT 10 hackers were able to utilize the access unknowingly granted by one person to steal credential information that allowed them to “move laterally through an MSP’s network and its clients’ networks.” This means that the group would be able to infiltrate client companies that never received the “spear-fishing” email. If the group identified desirable information on an “unaffected” computer, they would encrypt the data, and move it back to the originally compromised device for export.
A press release issued on the same day that the indictment was unsealed stated that the U.S. government is working hard to hold the responsible individuals, as well as their sponsors, accountable for their actions. They submit that this type of behavior is unethical, unfair, and illegal, and will continue to be a matter of national security and an investigative priority.