Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c…

Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n

Interestingly the indictment calls out multiple government organizations by name that were victims including:
@NASAGoddard, @NASAJPL, @LLNL, and the @USNavy

2/n

Specifically it calls out that more than 100,00 Navy personnel had their PII stolen including name, SSN, email address...etc. I'd be curious to see the timeline of this related to the OMB breach of personnel records

3/n

In late 2009/2010 a major shift occurred. CN APT operators went from targeting USG/Military/Defense to commercial entities for economic gain. Coincidentally this is exactly when I started @Mandiant, so I got to witness the shift first hand with #APT10 being one of the groups

4/n

You might remember the first reports about this shift reported publicly as "Operation Aurora". We (@Mandiant) were in the thick of it at the time (and actually notified many/most of the companies affected by #APT8).

5/n
en.wikipedia.org/wiki/Operation…

The indictment also (indirectly) refers to this shift in 2010 in their discussion of when #APT10 started registering domains for malware command and control.

6/n

I bring up #APT8 for two reasons
1) They were first CN APT group to target commercial sector
2) We initially thought #APT8 & #APT10 were the same. We weren't as mature in our attribution methodology & equated use of private malware (e.g plugx/sogu...etc.) to a specific group

7/n

Starting in 2014, #APT10 started another change/shift in tactics & compromised 3rd party service providers (e.g. IT outsourcers), referred to as Managed Service Providers in the indictment, and used their networks to compromise/access systems/data in their customer networks.

8/n

This type of attack is one of the most difficult to detect for most orgs. IT outsourcers (I'll use indictment shorthand MSP) inherently need to have access & admin privileges to customer networks. Attacker can leverage same connection and creds to access victim network

9/n

Once inside a victim network (through the MSP) #APT10 would search for the systems/data of interest, stage the data & then instead of sending it directly out of victim - would move it to systems in the MSP or another customer of the MSP & send it out from there.

10/n

.@Mandiant referenced this in 2016 M-trends report

"We also discuss two trends that we see year after year, as part of our “Trends Turned Constants” section. One involves leveraging third-party service providers to gain access to victim organizations."

fireeye.com/blog/executive…

.@BAESystemsInc and @PwC_UK released a great joint report on #APT10's targeting of MSP's to access their customer networks dubbed "Operation Cloud Hopper"

baesystemsai.blogspot.com/2017/04/apt10-…
pwc.co.uk/issues/cyber-s…

1) MSP networks aren't nearly as secure as you would think

If your network accessed by #APT10 through your MSP:
2) how would you detect it?
3) is your MSP legally obligated to notify you?
4) what contractual remedies do you have if it happens or if they don't notify you?

13/n

I say this because I've seen more than one instance where the MSP didn't notify their customer(s) - in part because it would/could materially impact their entire business model.

14/n

I haven't seen much discussion of it but the indictment specifically calls out that #APT10 was multiple individuals working for a *private* company (Huaying Haitai) & acted in association with the Chinese Ministry of State Security's Tianjin State Security Bureau

CC: @RidT
15/n

The calling out of a private contractor is similar to the previous DOJ indictment of #APT3 operators working for "Boyusec". Both companies were called out by @intrusion_truth

In contrast the Russian cyber indictment called out the GRU directly

16/n
intrusiontruth.wordpress.com/2018/08/09/was…

The indictment referenced changing tactics (malware, domains...etc.) in 2017 after a private cyber security report - which lines up with a @FireEye report in April 2017.

17/n

"[APT10] established the service provider IP as a proxy for the victim’s SOGU backdoor"
"APT10 spear phishes...leverag[ed] .lnk files within archives"

.lnk files in archives...where have I seen that recently (*cough* APT29)?

fireeye.com/blog/threat-re…

17/n
fireeye.com/blog/threat-re…

Here's the first @FireEye/@Mandiant public reference I can find to #APT10/MenuPass (iSight name for the group [based on the Poison Ivy password])...although I'm sure we discussed their activity somewhere in a webinar/public conference somewhere

fireeye.com/content/dam/fi…

18/n

This is latest @FireEye report from Sept 2018 discussing #APT10 spear phishing targeting Japanese orgs. Note the use of #Redteam developed/documented tactics of using certutil.exe, esentutil.exe, and password protected Word documents.

19/n
fireeye.com/blog/threat-re…

2015 Obama/Xi agreement significantly reduced targeting of US & UK commercial entities by CN APT in 2015-17, but they didn't stop targeting non US/UK orgs for commercial gain

Great Tweet by @RidT demonstrating impact of CN APT against German orgs

https://twitter.com/RidT/status/1075788069578645510

20/n

Following the DOJ indictments - #APT3 as we know it was effectively disbanded/broken up.

#APT10 is active currently. What do you think will happen to the group #APT10 as we currently know them?

21/n

This is a better link to the 2016 @Mandiant M-Trends report. Check out pages 22-27

@smoothimpact brought up a good point. Although #APT10 is prolific at targeting MSPs. Many other CN APT groups (e.g. APT22) & other nations target MSPs regularly

22/n
fireeye.com/content/dam/fi…