JUST RELEASED: ATT&CK for Industrial Control Systems


APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.[1]

ID: G0005
Associated Groups: IXESHE, DynCalc, Numbered Panda, DNSCALC
Version: 2.0
Created: 31 May 2017
Last Modified: 10 June 2019

Associated Group Descriptions

Name Description
IXESHE [1] [2]
DynCalc [1] [2]
Numbered Panda [1]

Techniques Used

Domain ID Name Use
Enterprise T1203 Exploitation for Client Execution

APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).[2][3]

Enterprise T1193 Spearphishing Attachment

APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.[2][3]

Enterprise T1204 User Execution

APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.[2][3]

Enterprise T1102 Web Service

APT12 has used blogs and WordPress for C2 infrastructure.[1]


ID Name References Techniques
S0040 HTRAN [3] Connection Proxy, Process Injection, Rootkit
S0015 Ixeshe [4] [2] Command-Line Interface, Commonly Used Port, Data from Local System, Data Obfuscation, File and Directory Discovery, File Deletion, Hidden Files and Directories, Masquerading, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery
S0003 RIPTIDE [2] Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol