Blog

Spotlight on APT10

To kick off our series highlighting the most notorious and dangerous hacker groups in the industry today, we will focus on a group called APT10. APT10, also known as Stone Panda or Red Apollo, is a state-sponsored Chinese hacking group that has been active since at least 2009. The group targets a wide range of organizations including government agencies, military organizations, and businesses in various industries. 

Who is APT10 

APT10 is not a standalone group, but part of a larger Chinese cyber espionage campaign known as Operation Cloud Hopper, which targets managed service providers (MSPs) to gain access to their clients’ networks. In 2018, two Chinese nationals associated with the Chinese Ministry of State Security (MSS) were indicted by the US Department of Justice for their role in APT10’s cyber espionage activities. This was a significant development in the ongoing effort to combat state-sponsored cyber attacks. 

APT10 Aims High 

APT10 knows no boundaries when it comes to attacks. For example, one of the group’s most notable campaigns was in 2014 when it targeted the US Office of Personnel Management (OPM) and stole the personal information of over 21 million government employees. This was considered one of the largest breaches of federal government data in US history. 

APT10 is also known for its focus on intellectual property theft, particularly of sensitive business and technological information. APT10 is believed to have targeted multiple organizations in the aerospace, defense, and energy sectors, as well as technology and engineering fields. Because of this targeting and the exfiltration of data, this group poses a significant national threat, especially from the Chinese state. 

Methods of APT10 Attacks 

APT10’s use of advanced techniques such as custom malware and spear-phishing campaigns make the group technically unique. They use a variety of tools and techniques to infiltrate and maintain access to target networks, including remote access trojans (RATs) and web shells. 

In addition, APT10 uses the technique of “living off the land” to evade detection and maintain access to target networks. This involves using legitimate tools and processes already present on a system, rather than introducing new malware or other malicious software. 

APT10 also uses “watering hole” attacks, where the group compromises a website likely to be visited by its intended targets in order to infect their systems with malware or steal sensitive information. This technique allows the group to focus on the most valuable targets. 

In recent years, APT10 has been observed using various malware families such as PlugX, Quasar, and RedLeaves. These malware families are used to establish a foothold on a target network and gain persistence. The group has also been known to use infrastructure leased from legitimate, but unaware, hosting providers, making it difficult to trace the origin of the attack. 

Preparing for APT10 

It is difficult to prepare for APT10’s attacks due to the limitless cloud and datacenter perimeters. The best approach is to be aware and implement multiple layers of security.  

With the growing number of cyber-attacks and concern about state-sponsored hacking groups like APT10, organizations need to take a proactive approach to protection. This includes implementing strong and comprehensive full-stack security measures such as managed firewalls, intrusion detection and prevention systems, and regular updates to software and systems. Most importantly, professional 24×7 active technical monitoring is a necessity for a well-protected computing system environment. 

Organizations can take several steps to protect themselves against APT10 and other state-sponsored hacking groups: 

  • Implement strong security measures: This includes using fully managed firewalls from a trusted third party, fully managed intrusion detection, end point protection and prevention systems, and regularly updating software and systems. 
  • Technical monitoring: Active technical monitoring is critical to a well-protected environment. Organizations should partner with a trusted managed security operations center provider to gain access to tools and techniques that detect unusual network activity and potential threats. 
  • Incident response plans: Organizations should have incident response plans in place, including procedures to minimize damage and a team or partner ready to respond quickly to an attack. 
  • Awareness and education: Employees should be trained on the importance of cybersecurity and how to detect and report suspicious activities. 
  • Partner with security experts: Organizations can partner with security experts familiar with numerous threats across industries, and leverage their knowledge and experience to stay ahead of threat actors. 
  • Use multiple layers of security: With the increasing number of cyber attacks, organizations need to use multiple layers of security including network security, endpoint security, and application security. 
  • Regularly assess and update security measures: Organizations should regularly assess and update their security and compliance measures to stay ahead of the latest threats. 

A Significant Threat 

That is just a quick look at APT10, the well-known and dangerous Chinese state-sponsored hacking group that’s been active for over a decade. This sophisticated and well-funded group has been responsible for a number of high-profile cyber attacks and, as APT10 continues to evolve its tactics and techniques, it poses an ongoing threat to organizations around the world.  It should be a critical mission for organizations to be aware of the group and to take steps to protect themselves from APT10.

This article was originally published in Forbes, please follow me on LinkedIn.