BlackTech

Also known as: APT24, BlackTech, Canary Typhoon, CIRCUIT PANDA, Earth Hundun, G0011, G0098, HUAPI, Manga Taurus, Mobwork, Palmerworm, Phantom of Routers, PITTY PANDA, Red Djinn, T-APT-03, Temp.Overboard, Temp.Pittytiger

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia–particularly Taiwan, Japan, and Hong Kong–and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks. TrendMicro BlackTech June 2017 Symantec Palmerworm Sep 2020 Reuters Taiwan BlackTech August 2020

🌍 Country China
🧭 ATT&CK G0098

Associated Operations

PLEAD Shrouded Crossbow Waterbear

Introduction

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia–particularly Taiwan, Japan, and Hong Kong–and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks. TrendMicro BlackTech June 2017 Symantec Palmerworm Sep 2020 Reuters Taiwan BlackTech August 2020

Activities and Tactics

Country of Origin: 🇨🇳 China

Notable Campaigns

  • PLEAD
  • Shrouded Crossbow
  • Waterbear

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • BlackEnergy
  • Backdoor.Oldrea
  • CloudDuke
  • Rover
  • BLACKCOFFEE
  • Blackshades
  • BlackNix
  • CyberGate
  • Cyber Eye RAT
  • HTTP WEB BACKDOOR
  • BendyBear:

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] TrendMicro BlackTech June 2017 Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. [4] IronNet BlackTech Oct 2021 Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022. [5] Reuters Taiwan BlackTech August 2020 Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022. [6] Symantec Palmerworm Sep 2020 Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.