Symantec implicates APT10 in sweeping hacking campaign against Japanese firms

After a 2018 U.S. indictment, it looks like APT10 is back.
Tokyo, Japan at night // Pixabay CC0 Creative Commons

A Chinese government-linked hacking group whose operatives have been indicted by the U.S. and sanctioned by the European Union is suspected in a year-long effort to steal sensitive data from numerous Japanese companies and their subsidiaries, security researchers said Tuesday.

The attackers, known as APT10 or Cicada, have been burrowing into the networks of companies in the automotive, pharmaceutical and engineering sectors, according to researchers from antivirus provider Symantec. They have sometimes lingered for months before trying to extract data and have targeted domain controllers, the servers that act as gatekeepers for organizations’ network traffic.

While Symantec did not identify specific targets, the company said many of the organizations have links to Japan, or Japanese companies. China and Japan are, respectively, the second and third biggest economies in the world. The two Asian countries have long had territorial disputes, and Japanese organizations have been a frequent target of alleged Chinese cyber-espionage.

“We believe the APT10/Cicada campaign is focused on large-scale IP [intellectual property] theft across multiple verticals,” said Vikram Thakur, technical director at Symantec, a division of semiconductor maker Broadcom. That the activity spans multiple sectors is “indicative of the attack group not being focused on intelligence or IP associated with a single geopolitical event or equipment,” he added.


Ben Read, senior manager of analysis at Mandiant Threat Intelligence, agreed that APT10 was behind the latest activity, which he described as a “reemergence” of the group after its alleged operatives were indicted by a U.S. grand jury in 2018.

“We believe that these intrusions are designed to steal intellectual property or other information that would give a business advantage to Chinese firms,” Read said.

APT10, which U.S. officials have alleged operates on behalf of China’s civilian intelligence service, has for over a decade been a key prong in alleged Chinese espionage activity. The group has a well-documented history of targeting Japanese companies, including an alleged attempt to infiltrate Japanese media organizations in 2018.

U.S. officials have for years accused Chinese hackers of stealing intellectual property, in spite of a 2015 bilateral agreement not to do so. The Chinese government has consistently denied the allegations.

‘Cloud hopping’ still works


Despite detailed public exposures of their hacking tactics, the group has continued to try to use IT service providers as a foothold into big corporate networks.

The U.S. Justice Department in December 2018 announced the indictment of two Chinese men and alleged APT10 operatives for targeting more than 45 companies and government agencies. That indictment, along with a 2017 report from BAE Systems and PricewaterhouseCoopers, laid bare APT10’s tactic of breaching IT management systems to access valuable corporate secrets. That tactic earned the group the moniker “Cloudhopper.”

“Public documentation of the group’s activity, along with legal indictments from 2018, have had little to no effect on APT10’s functioning,” Thakur said.

The Symantec research follows multiple high-profile cybersecurity incidents in Japan this year.

Unidentified attackers in May breached Japanese data-management company NTT Communications in an incident affected up to 621 clients. Separately, Japanese officials have been investigating a possible breach of sensitive defense contracting data following a 2019 attack on electronics giant Mitsubishi Electric.


There is no evidence connecting APT10 to those incidents, Thakur said.

The suspected APT10 campaign also targeted organizations in Mexico, France and the U.S., Symantec said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts