Profile picture
Christopher Glyer
@cglyer
, 24 tweets, 16 min read Read on Twitter
Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c…
Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n
Interestingly the indictment calls out multiple government organizations by name that were victims including:
@NASAGoddard, @NASAJPL, @LLNL, and the @USNavy

2/n
Specifically it calls out that more than 100,00 Navy personnel had their PII stolen including name, SSN, email address...etc. I'd be curious to see the timeline of this related to the OMB breach of personnel records

3/n
In late 2009/2010 a major shift occurred. CN APT operators went from targeting USG/Military/Defense to commercial entities for economic gain. Coincidentally this is exactly when I started @Mandiant, so I got to witness the shift first hand with #APT10 being one of the groups

4/n
You might remember the first reports about this shift reported publicly as "Operation Aurora". We (@Mandiant) were in the thick of it at the time (and actually notified many/most of the companies affected by #APT8).

5/n
 en.wikipedia.org/wiki/Operation…
The indictment also (indirectly) refers to this shift in 2010 in their discussion of when #APT10 started registering domains for malware command and control.

6/n
I bring up #APT8 for two reasons
1) They were first CN APT group to target commercial sector
2) We initially thought #APT8 & #APT10 were the same. We weren't as mature in our attribution methodology & equated use of private malware (e.g plugx/sogu...etc.) to a specific group

7/n
Starting in 2014, #APT10 started another change/shift in tactics & compromised 3rd party service providers (e.g. IT outsourcers), referred to as Managed Service Providers in the indictment, and used their networks to compromise/access systems/data in their customer networks.

8/n
This type of attack is one of the most difficult to detect for most orgs. IT outsourcers (I'll use indictment shorthand MSP) inherently need to have access & admin privileges to customer networks. Attacker can leverage same connection and creds to access victim network

9/n
Once inside a victim network (through the MSP) #APT10 would search for the systems/data of interest, stage the data & then instead of sending it directly out of victim - would move it to systems in the MSP or another customer of the MSP & send it out from there.

10/n
.@Mandiant referenced this in 2016 M-trends report

"We also discuss two trends that we see year after year, as part of our “Trends Turned Constants” section. One involves leveraging third-party service providers to gain access to victim organizations."

fireeye.com/blog/executive…
.@BAESystemsInc and @PwC_UK released a great joint report on #APT10's targeting of MSP's to access their customer networks dubbed "Operation Cloud Hopper"

baesystemsai.blogspot.com/2017/04/apt10-…
pwc.co.uk/issues/cyber-s…
1) MSP networks aren't nearly as secure as you would think

If your network accessed by #APT10 through your MSP:
2) how would you detect it?
3) is your MSP legally obligated to notify you?
4) what contractual remedies do you have if it happens or if they don't notify you?

13/n
I say this because I've seen more than one instance where the MSP didn't notify their customer(s) - in part because it would/could materially impact their entire business model.

14/n
I haven't seen much discussion of it but the indictment specifically calls out that #APT10 was multiple individuals working for a *private* company (Huaying Haitai) & acted in association with the Chinese Ministry of State Security's Tianjin State Security Bureau

CC: @RidT
15/n
The calling out of a private contractor is similar to the previous DOJ indictment of #APT3 operators working for "Boyusec". Both companies were called out by @intrusion_truth

In contrast the Russian cyber indictment called out the GRU directly

16/n
 intrusiontruth.wordpress.com/2018/08/09/was…
The indictment referenced changing tactics (malware, domains...etc.) in 2017 after a private cyber security report - which lines up with a @FireEye report in April 2017.

17/n
"[APT10] established the service provider IP as a proxy for the victim’s SOGU backdoor"
"APT10 spear phishes...leverag[ed] .lnk files within archives"

.lnk files in archives...where have I seen that recently (*cough* APT29)?

fireeye.com/blog/threat-re…

17/n
 fireeye.com/blog/threat-re…
Here's the first @FireEye/@Mandiant public reference I can find to #APT10/MenuPass (iSight name for the group [based on the Poison Ivy password])...although I'm sure we discussed their activity somewhere in a webinar/public conference somewhere

fireeye.com/content/dam/fi…

18/n
This is latest @FireEye report from Sept 2018 discussing #APT10 spear phishing targeting Japanese orgs. Note the use of #Redteam developed/documented tactics of using certutil.exe, esentutil.exe, and password protected Word documents.

19/n
 fireeye.com/blog/threat-re…
2015 Obama/Xi agreement significantly reduced targeting of US & UK commercial entities by CN APT in 2015-17, but they didn't stop targeting non US/UK orgs for commercial gain

Great Tweet by @RidT demonstrating impact of CN APT against German orgs



20/n
Following the DOJ indictments - #APT3 as we know it was effectively disbanded/broken up.

#APT10 is active currently. What do you think will happen to the group #APT10 as we currently know them?

21/n
This is a better link to the 2016 @Mandiant M-Trends report. Check out pages 22-27

@smoothimpact brought up a good point. Although #APT10 is prolific at targeting MSPs. Many other CN APT groups (e.g. APT22) & other nations target MSPs regularly

22/n
 fireeye.com/content/dam/fi…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Christopher Glyer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#APT10 #APT8 #APT3 #Redteam

More from @cglyer see all

Profile picture
Christopher Glyer
@cglyer
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.

#FireEyeSummit
Read 10 tweets
Profile picture
Christopher Glyer
@cglyer
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-re

#FireEyeSummit
APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit
Yes - you read that right. APT38 has used multiple different (and escalating tactics over time) to destroy evidence including deploying ransomware and running disk wiping malware

#FireEyeSummit
Read 7 tweets
Profile picture
Christopher Glyer
@cglyer
First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit
It's not often that you see ACI Shims used for persistence

#FireEyeSummit
How do you hunt for ACI Shim persistence? Multiple different techniques - but the Windows Program-Telemetry logs are a great place to look

#FireEyeSummit
Read 5 tweets

Related threads

Profile picture
IndiaBioscience.org
@IndiaBioscience
(1/n) It's time for our first monthly review of 2019! We have had a fun January at @IndiaBioscience and here are a few #highlights
(2/n) We began a new season of our #podcast series called 'Crafting your Career'. This season will focus on the ecosystem of science careers in India. You can listen to the first episode here - indiabiospeaks.libsyn.com/cyc-01-introdu… #careerdevelopment #sciencecareers #craftingyourcareer
(3/n) The second episode in our #podcast series discusses the best ways to identify our own skills, interests and values and using the knowledge so gained to make an informed career decision indiabiospeaks.libsyn.com/crafting-your-…
Read 18 tweets
Profile picture
Karol 🌿
@karolcummins
🎉HappyNewYear🎉

Hackers Threaten to Dump Ins Files Related to 9/11 Attacks

The Dark Overlord appears to be trying to capitalize on conspiracy theories about the 9/11attacks.

RU detains US citizen Paul Whelan on suspicion of spying

China 'releases' CAN teacher Sarah McIver
🎉HappyNewYear2🎉

UK’s WW3 THREAT: RU, China & N & S POLES are UK dangers in 2019

Huawei CFO linked to firm that offered HP gear to Iran

Trump pulled out of a massive trade deal (TTP). Now 11 countries are going ahead w/out the US & our goods will now be subject to tariffs.
🎉HappyNewYear3🎉

Super cars owned by Emirati financier Khadem al-Qubaisi seized over 1MDB scandal

John Kelly told Trump: "The last thing in my view that you need in the chief of staff is someone that looks at every issue through a political lens."
Read 65 tweets
Profile picture
Karol 🌿
@karolcummins
💣ChaosAgent💣

📌Mattis’ resign’n letter is a brilliant FU.

📌Signal to GOP.

📌On duty til 2/28/19

📌Has confidence Trump is handled.

📌SC delivers mid Feb. RR👑

📌Ignore Wall.

📌Cover for stock market crash & 45’s sell out of Syria (AFG too)
👉🏼RU, TU & Iran. #Traitor
💣ChaosAgent💣

📌Trump's Foreign Policy Is Making RU Fascism Great Again

As he sabotages US strategic alliances in favor of pro-Kremlin autocrats, Trump is acting out the geopolitical fantasies of Alexander Dugin, rising RU fascist ideologue & guru to Trump's alt-R base
💣ChaosAgent3💣

📌Erdogan & Trump agreed Friday to ‘more effective coordination’ between their countries’ operations in Syria.
#Khoshoggi

Trump didn't bother to invite Joint Chiefs Chair Gen. Dunford to the Syria meeting & kept him in the dark until after the decision was made.
Read 92 tweets
Profile picture
Thomas Rid
@RidT
Here we go: United States of America v. Godkiller sc.cnbcfm.com/applications/c…
Impressive to see FBI Director Wray speak cogently about digital forensics, malware analysis, and overlapping APT10 command-and-control infrastructure — we've come a long way since that botched 2014 press release on the Sony Hack
And VERY impressive to see that DoJ's APT10 indictment/attribution was orchestrated to happen simultaneously with a major UK high-confidence intelligence assessment — the first time Britain is publicly calling out China for digital espionage gov.uk/government/new…
Read 8 tweets
Profile picture
Eric Geller
@ericgeller
The Justice Department is about to announce charges against Chinese government (APT10) hackers for a long-running economic espionage campaign against U.S. and other Western businesses.

Watch live: justice.gov/live
Deputy AG Rod Rosenstein: "Today, the Department of Justice is announcing a criminal indictment of two hackers associated with the Chinese government" for attacks on "dozens of companies in the United States and around the world."
Rosenstein: The charges are for attacks on "managed service providers" that provide IT services to other companies.
Read 34 tweets
Profile picture
حسن سجواني 🇦🇪 Hassan Sajwani
@HSajwanization
JUST IN: @Twitter CEO @Jack Dorsey says in prepared testimony to Congress: ' #Twitter does not use political ideology to make any decisions'.
He is due to appear before the House Committee on Energy and Commerce Wednesday 5th Sept 2018.
@CNBCnow
Here’s the full testimony:
sc.cnbcfm.com/applications/c…
WATCH #LIVE : @Twitter CEO @jack and #Facebook COO Sheryl Sandberg testify on foreign interference.
pscp.tv/ABC/1kvJpaEknR…
Read 4 tweets

Trending hashtags

#WATCH #OBSERVATIONS #UnderstatementOfTheYear #SC05 #academia #murals #pedagogy #WhitakerMustRecuse #Irishmyths #Conspiracy #fintech #BRI #TeamNutShellReport #hamildrop #streetart #FBICorruption #education #APT #KimJongUn #Russian #theTroubles #TrumpRussia #Irish #Busted #ErikPrince
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!