APT3

πŸ”΄ High
Also known as: APT3, BORON, Boyusec, Boyusec – the Guangzhou Boyu Information Technology Company, Brocade Typhoon, BRONZE MAYFAIR, Buckeye, CYBRAN, Gothic Panda, GOTHIC PANDA, Group 6, Ltd, OLDCARP, Pirpi, Red Sylvan, TG-0110, Threat Group-0110, UPS, UPS Team

APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security. FireEye Clandestine Wolf Recorded Future APT3 May 2017 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. FireEye Clandestine Wolf FireEye Operation Double Tap As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. Symantec Buckeye

🌍 Country China
πŸ“… Activity 2015 β€” 2018
⚑ Risk Level High
🎯 Incident Type Espionage
🧭 ATT&CK G0022
Political party Private sector
2015
2018

Targeted Victims

United States United Kingdom Hong Kong

Associated Operations

Clandestine Fox Double Tap Clandestine Wolf

Introduction

APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security. FireEye Clandestine Wolf Recorded Future APT3 May 2017 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. FireEye Clandestine Wolf FireEye Operation Double Tap As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. Symantec Buckeye

Activities and Tactics

Targeted Sectors: Political party, Private sector

Country of Origin: πŸ‡¨πŸ‡³ China

Risk Level: High

First Seen: 2015

Last Activity: 2018

Incident Type: Espionage

Suspected Victims: United States, United Kingdom, Hong Kong

Notable Campaigns

  • Clandestine Fox
  • Double Tap
  • Clandestine Wolf

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 4 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

  • CyberGate
  • Cyber Eye RAT
  • Shotput:
  • Pirpi:
  • PlugX/Sogu:
  • Kaba:
  • Cookie Cutter:
  • many 0days: IE:
  • Firefox:
  • and Flash:
  • SportLoader:
  • Shadow Brokers exploits:
  • DoublePulsar:
  • Bemstour:
  • Filensfer:

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [9] FireEye Clandestine Wolf Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. [10] Recorded Future APT3 May 2017 Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved September 16, 2024. [11] PWC Pirpi Scanbox Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016. [12] FireEye Operation Double Tap Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. [13] Symantec Buckeye Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.

Recent News

Latest articles from security news feeds mentioning this actor.