ETDA ThaiCERT
Report
Search
Home > List all groups > Stone Panda, APT 10, menuPass

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Stone Panda, APT 10, menuPass

NamesStone Panda (CrowdStrike)
APT 10 (Mandiant)
menuPass Team (Symantec)
menuPass (Palo Alto)
Red Apollo (PwC)
CVNX (BAE Systems)
Potassium (Microsoft)
Hogfish (iDefense)
Happyyongzi (FireEye)
ATK 41 (Thales)
TA429 (Proofpoint)
ITG01 (IBM)
CountryChina China
SponsorState-sponsored, Tianjin bureau of the Chinese Ministry of State Security, Huaying Haitai
MotivationInformation theft and espionage
First seen2006
DescriptionmenuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university.
ObservedSectors: Aerospace, Defense, Energy, Financial, Government, Healthcare, High-Tech, IT, Media, Pharmaceutical, Telecommunications and MSPs.
Countries: Australia, Brazil, Canada, Finland, France, Germany, India, Japan, Netherlands, Norway, Philippines, South Africa, South Korea, Sweden, Switzerland, Thailand, Turkey, UAE, UK, USA.
Tools usedAnel, BloodHound, certutil, ChChes, China Chopper, Cobalt Strike, Derusbi, DILLJUICE, DILLWEED, Emdivi, EvilGrab RAT, Gh0st RAT, HTran, Impacket, Invoke the Hash, Mimikatz, MiS-Type, nbtscan, PlugX, Poison Ivy, Poldat, PowerSploit, PowerView, PsExec, PsList, pwdump, Quarks PwDump, QuasarRAT, RedLeaves, Rubeus, SharpSploit, SNUGRIDE, Trochilus RAT, Living off the Land.
Operations performedSep 2016Spear-phishing attack
Method: The attackers spoofed several sender email addresses to send spear-phishing emails, most notably public addresses associated with the Sasakawa Peace Foundation and The White House.
Target: Japanese academics working in several areas of science, along with Japanese pharmaceutical and a US-based subsidiary of a Japanese manufacturing organizations.
<https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/>
2016Operation “Cloud Hopper”
The campaign, which we refer to as Operation Cloud Hopper, has targeted managed IT service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. A number of Japanese organizations have also been directly targeted in a separate, simultaneous campaign by the same actor
<https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf>
<https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/>
<https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061>
2016/2017Leveraging its global footprint, FireEye has detected APT10 activity across six continents in 2016 and 2017. APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America; and multiple IT service providers worldwide. We believe these companies are a mix of final targets and organizations that could provide a foothold in a final target.
<https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html>
Feb 2017Operation “TradeSecret”
The National Foreign Trade Council (NFTC) website was allegedly infiltrated by Chinese nation-state threat actors, according to a new report from Fidelis Cybersecurity. The attack against the NFTC site has been dubbed ‘Operation TradeSecret’ by Fidelis and is seen as an attempt to gain insight into individuals closely associated with U.S trade policy activities.
<https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret>
2017Operation “ChessMaster”
Take for instance the self-named ChessMaster, a campaign targeting Japanese academe, technology enterprises, media outfits, managed service providers, and government agencies. It employs various poisoned pawns in the form of malware-laden spear-phishing emails containing decoy documents.
<https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/>
2017Operation “Soft Cell”
Earlier this year, Cybereason identified an advanced, persistent attack targeting telecommunications providers that has been underway for years, soon after deploying into the environment.
The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.
<https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>
Nov 2017Targeted Norwegian MSP and US Companies in Sustained Campaign
A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018.
<https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf>
2018Operation “New Battle”
This report provides a technical overview of the bespoke RedLeaves implants leveraged by the actor in their “new battle” campaign.
<https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf>
<https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf>
Jul 2018Attack on the Japanese media sector
In July 2018, FireEye devices detected and blocked what appears to be APT10 (menuPass) activity targeting the Japanese media sector.
<https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html>
Jan 2019Breach of Airbus
<https://www.mirror.co.uk/travel/news/breaking-airbus-cyber-attack-believed-13955680>
Apr 2019In April 2019, enSilo detected what it believes to be new activity by Chinese cyber espionage group APT10. The variants discovered by enSilo are previously unknown and deploy malware that is unique to the threat actor.
<https://blog.ensilo.com/uncovering-new-activity-by-apt10>
Counter operationsDec 2018Chinese Hackers Indicted
<https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018>
<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>
Jul 2020EU imposes the first ever sanctions against cyber-attacks
<https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/>
Information<https://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/>
<https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/>
<https://adeo.com.tr/wp-content/uploads/2020/02/APT10_v1.2_public.pdf>
<https://exchange.xforce.ibmcloud.com/threat-group/706490628c8aa20a8a3a6e5ec81ca49b>
<https://en.wikipedia.org/wiki/Red_Apollo>
MITRE ATT&CK<https://attack.mitre.org/groups/G0045/>
<https://attack.mitre.org/groups/G0093/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=menupass>

Last change to this card: 31 July 2020

Download this actor card in PDF or JSON format

Previous: Stealth Falcon, FruityArmor
Next: Strider, ProjectSauron

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key