← threatfilter.dev / all groups / APT3
APT3
Also known as: Gothic Panda · Pirpi · UPS Team · Buckeye · Threat Group-0110 · TG-0110
Overview
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.
Targets
Political party · Private sector
Regions
Hong Kong · United Kingdom · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
- Custom malware/implant development — ATT&CK: 4 attributed custom malware families
TTPs — 44 techniques across 11 tactics
Initial Access
-
T1566.002Spearphishing Link
Execution
-
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1203Exploitation for Client Execution -
T1204.001Malicious Link
Persistence
-
T1098.007Additional Local or Domain Groups -
T1136.001Local Account -
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1546.008Accessibility Features
Stealth
-
T1027Obfuscated Files or Information -
T1027.002Software Packing -
T1027.005Indicator Removal from Tools -
T1036.010Masquerade Account Name -
T1070.004File Deletion -
T1078.002Domain Accounts -
T1218.011Rundll32 -
T1564.003Hidden Window -
T1574.001DLL
Credential Access
-
T1003.001LSASS Memory -
T1110.002Password Cracking -
T1552.001Credentials In Files -
T1555.003Credentials from Web Browsers
Discovery
-
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1069Permission Groups Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.001Local Account
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.002SMB/Windows Admin Shares
Collection
-
T1005Data from Local System -
T1056.001Keylogging -
T1074.001Local Data Staging -
T1560.001Archive via Utility
Command and Control
-
T1090.002External Proxy -
T1095Non-Application Layer Protocol -
T1104Multi-Stage Channels -
T1105Ingress Tool Transfer
Exfiltration
Tools & malware (6)
OSInfo · schtasks · PlugX · LaZagne · SHOTPUT · RemoteCMD
Reporting (3)
- (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3 — Insikt Group (Recorded Future)
- Buckeye cyberespionage group shifts gaze from US to Hong Kong — Symantec Security Response
- A tale of Pirpi, Scanbox & CVE-2015-3113 — Lancaster, T