ETDA ThaiCERT
Report
Search
Home > List all groups > APT 4, Maverick Panda, Wisp Team

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: APT 4, Maverick Panda, Wisp Team

NamesAPT 4 (Mandiant)
APT 4 (FireEye)
Maverick Panda (CrowdStrike)
Wisp Team (Symantec)
Sykipot (AlienVault)
CountryChina China
SponsorState-sponsored, PLA Navy
MotivationInformation theft and espionage
First seen2007
Description(Trend Micro) Sykipot has a history of primarily targeting US Defense Initial Base (DIB) and key industries such as telecommunications, computer hardware, government contractors, and aerospace. Open source review of 15 major Sykipot attacks over the last 6 years confirm this.

Recently, we encountered a case where Sykipot variants were gathering information related to the civil aviation sector. The exploitation occurred at a target consistent with their history, the information sought raises new interest. The intentions of this latest round of targeting are unclear, but it represents a change in shift in objectives or mission.
ObservedSectors: Aerospace, Aviation, Defense, Government, Telecommunications.
Countries: USA.
Tools usedSykipot, XMRig.
Operations performedDec 2011Are the Sykipot’s authors obsessed with next generation US drones?
<https://cybersecurity.att.com/blogs/labs-research/are-the-sykipots-authors-obsessed-with-next-generation-us-drones>
Jan 2012Sykipot variant hijacks DOD and Windows smart cards
<https://cybersecurity.att.com/blogs/labs-research/sykipot-variant-hijacks-dod-and-windows-smart-cards>
Jul 2012Sykipot is back
<https://cybersecurity.att.com/blogs/labs-research/sykipot-is-back>
Mar 2013New Sykipot developments
<https://cybersecurity.att.com/blogs/labs-research/new-sykipot-developments>
Sep 2013Sykipot Now Targeting US Civil Aviation Sector Information
<https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/>
2015A group dubbed APT4 is suspected to be behind a breach of an Asian airline company discovered in the second quarter of this year. Its attack style uses well-written and researched ‘spear-phishes’ with industry themes. The attacks were aimed at public key infrastructure targets.
<https://www.digitalnewsasia.com/digital-economy/asia-in-the-crosshairs-of-apt-attackers-fireeye-cto>
Oct 2018The report also mentions some attacks conducted by APT4 which includes sending malicious emails to a blockchain gaming start-up last year and attacking a cryptocurrency exchange in June 2018. In last October, the group also used XMRig, a Monero cryptocurrency mining tool in the target’s computer.
<https://mycryptomag.com/2019/08/08/cryptocurrency-firms-are-targets-of-state-sponsored-hacking-group-from-china/>
Information<https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: APT 3, Gothic Panda, Buckeye
Next: APT 5, Keyhole Panda

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key