2022-04-13

APT10/Cicada Espionage Attacks

Level: 
Tactical
  |  Source: 
Symantec
Government
Legal
Share:

APT10/Cicada Espionage Attacks

Industry: Government, Legal, Non-Governmental Organizations (NGOs), Pharmaceutical, Religious, Telecommunications | Level: Tactical | Source: Symantec

Symantec has been tracking an espionage campaign spanning over the course of several months (earliest sign mid-2021), tied to the Chinese APT group, APT10 (aka Cicada, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.) The APT group has previously targeted Japanese-linked companies, however recently they have expanded their attacks globally including Europe, Asia, and North America. Entities targeted by the group include government, legal, religious, and non-governmental organizations (NGOs) however, current campaign appears to have a focus on government and NGO entities. Previously, APT10 has focused primarily on Japanese companies however, in the present campaign, only one victim in Japan was identified. Techniques used in the threat campaign have involved exploiting Microsoft Exchange Servers for initial access with various tools used during the attack phase including WinRAR for data archival, Mimikatz, WMIExec, NBTScan, and the group's custom tool Sodamaster. The tool Sodamaster is capable of evading sandbox checks, host enumeration, and downloading additional payloads.

  • Anvilogic Use Cases:
  • Common Reconnaissance Commands
  • Utility Archive Data
  • Mimikatz
  • Wscript/Cscript Execution
  • WinRM Tools
  • Query Registry

Get trending threats published weekly by the Anvilogic team.

Sign Up Now