APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
Name | Description |
---|---|
Mulberry Typhoon | |
MANGANESE | |
BRONZE FLEETWOOD | |
Keyhole Panda | |
UNC2630 |
ID | Name | First Seen | Last Seen | References | Techniques |
---|---|---|---|---|---|
C0052 | SPACEHOP Activity | January 2019 [9] | May 2024 [9] | Acquire Infrastructure: Virtual Private Server, Exploit Public-Facing Application, Obtain Capabilities: Tool, Proxy: Multi-hop Proxy |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1098 | .007 | Account Manipulation: Additional Local or Domain Groups |
APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.[4] |
Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.[9] |
.005 | Acquire Infrastructure: Botnet |
APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.[9] |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT5 has used the JAR/ZIP file format for exfiltrated files.[4] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT5 has used PowerShell to accomplish tasks within targeted environments.[4] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
APT5 has used cmd.exe for execution on compromised systems.[4] |
||
Enterprise | T1554 | Compromise Host Software Binary |
APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.[3][4] |
|
Enterprise | T1136 | .001 | Create Account: Local Account |
APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.[4] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT5 has staged data on compromised systems prior to exfiltration often in |
Enterprise | T1190 | Exploit Public-Facing Application |
APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.[3][4][1] [2] SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access.[1][9] |
|
Enterprise | T1083 | File and Directory Discovery |
APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.[4] |
|
Enterprise | T1562 | .006 | Impair Defenses: Indicator Blocking |
APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.[4] |
Enterprise | T1070 | Indicator Removal |
APT5 has used the THINBLOOD utility to clear SSL VPN log files located at |
|
.003 | Clear Command History |
APT5 has cleared the command history on targeted ESXi servers.[4] |
||
.004 | File Deletion |
APT5 has deleted scripts and web shells to evade detection.[3][4] |
||
.006 | Timestomp | |||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.[5][6] |
Enterprise | T1654 | Log Enumeration |
APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.[4] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
SPACEHOP Activity leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes.[9] |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.[4] |
.002 | OS Credential Dumping: Security Account Manager |
APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.[4] |
||
Enterprise | T1057 | Process Discovery |
APT5 has used Windows-based utilities to carry out tasks including tasklist.exe. [4] |
|
Enterprise | T1055 | Process Injection |
APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality.[4] |
|
Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications.[9] |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
APT5 has moved laterally throughout victim environments using RDP.[4] |
.004 | Remote Services: SSH |
APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.[4] |
||
Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
APT5 has made modifications to the crontab file including in |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.[3][4] |
Enterprise | T1049 | System Network Connections Discovery |
APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.[4] |
|
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
APT5 has used legitimate account credentials to move laterally through compromised environments.[3] |
.004 | Valid Accounts: Cloud Accounts |
APT5 has accessed Microsoft M365 cloud environments using stolen credentials. [4] |