Advertisement

Chinese-linked APT10 has been active in the Philippines, researchers say

In recent years the group has compromised organizations in the U.S., Europe, and Japan.

An elite Chinese government-linked hacking group known for allegedly stealing reams of data from U.S. organizations has been actively targeting entities in the Philippines, according to new research first shared with CyberScoop.

During the month of April, the APT10 hacking group, which U.S. officials have tied to China’s civilian intelligence agency, has been using two new malicious software variants to deliver its payloads against targets in the Philippines, according to analysts from endpoint security firm enSilo.

“Both the loader variants and their various payloads that we analyzed share similar tactics, techniques, and procedures, and code associated with APT10,” the firm wrote in research published Friday. CyberScoop was unable to independently confirm that the malicious activity was tied directly to APT10. Some of the data points in the enSilo research have been tied to China-based hackers, but not exclusively to APT10, independent researchers said.

It is unclear what the goal of the targeting is, or who the victims are, enSilo said. The burst of new activity targeting the Philippines could be a short-lived attack or a test run for a future campaign.

Advertisement

But the researchers are trying to warn potential victims about changes in the hacking group’s malicious code, and allow other APT10 investigators in the cybersecurity community to contribute their own analysis.

“Our main goal was to get [the word] out as soon as possible” so others can defend their networks, enSilo’s CTO and co-founder Udi Yavo told CyberScoop, adding that the company’s researchers are still searching for additional forensics that could be related to the new activity.

Attributing hacking activity can be a delicate and difficult act for analysts, and other researchers have apparently erred in blaming APT10 for past hacking activity.

Yavo said enSlio researchers thoroughly compared the coding and variants with previous APT10 activity and concluded the group was behind the recent targeting in the Philippines.

“We’ve seen that a significant part of the code base is the same, or very, very similar, [to APT10’s],” Yavo said. “So assuming that it’s not someone who has access to a similar code base, it should be APT10.”

Advertisement

In a similar attack pattern to the kind APT10 has carried out in recent years, hackers are abusing legitimate executables to unpack shellcode in the memory of a target machine, and then delivering modified versions of the remote access trojans (RAT) known as Quasar and PlugX, according to Yakov Goldberg, enSilo’s director of forensics and threat intelligence (Multiple groups, and not just APT10, have used Quasar and PlugX RATs before). The RAT then uses a tool dubbed SharpSploit to extract passwords from a hacked machine. Computer servers in South Korea and a domain registered in Hong Kong were used in the attack, he added.

APT10’s reach is global. In recent years it has compromised organizations in the U.S., Europe, and Japan. Analysts say the Chinese civilian intelligence agency that reportedly sponsors APT10, the Ministry of State Security, has become Beijing’s preferred arm for conducting cyber-economic espionage.

Last December, the Department of Justice unsealed charges against two accused APT10 members for allegedly targeting more than 45 companies and government agencies, including NASA, the U.S. Navy, and a Department of Energy laboratory. And reports of ATP10’s rampant activity – and its intent to use “managed service providers,” which corporations use for IT configuration, to siphon off companies’ proprietary data – have led the Department of Homeland Security to brief the private sector in detail on the threat.

The Chinese government has denied allegations that it engages in state-sponsored intellectual property theft.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts