APT19

πŸ”΄ High
Also known as: APT19, ATG50, Black Vine, BRONZE FIRESTONE, C0d0so, C0d0so0, Checkered Typhoon, CHLORINE, Codoso, Codoso Team, DEEP PANDA, G0009, G0073, Group 13, KungFu Kittens, PinkPanther, Pupa, Red Gargoyle, Shell Crew, Sunshop Group, TEMP.Avengers, TG-3551, WebMasters

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. FireEye APT19 Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. ICIT China’s Espionage Jul 2016 FireEye APT Groups Unit 42 C0d0so0 Jan 2016

🌍 Country China
⚑ Risk Level High
🎯 Incident Type Espionage
🧭 ATT&CK G0073
Technology Finance Non-profit organisation Private sector Military

Targeted Victims

United States

Associated Operations

Bassos Campaign

Introduction

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. FireEye APT19 Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. ICIT China’s Espionage Jul 2016 FireEye APT Groups Unit 42 C0d0so0 Jan 2016

Activities and Tactics

Targeted Sectors: Technology, Finance, Non-profit organisation, Private sector, Military

Country of Origin: πŸ‡¨πŸ‡³ China

Risk Level: High

Incident Type: Espionage

Suspected Victims: United States

Notable Campaigns

  • Bassos Campaign

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Bergard Trojan:
  • Derusbi:
  • TXER:

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [7] FireEye APT19 Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. [8] Dark Reading Codoso Feb 2015 Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018. [9] FireEye APT Groups FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018. [10] Unit 42 C0d0so0 Jan 2016 Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. [11] ICIT China’s Espionage Jul 2016 Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.