Introduction
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits. NSA APT5 Citrix Threat Hunting December 2022 Microsoft East Asia Threats September 2023 Mandiant Pulse Secure Zero-Day April 2021 Mandiant Pulse Secure Update May 2021 FireEye Southeast Asia Threat Landscape March 2015 Mandiant Advanced Persistent Threats
Activities and Tactics
Targeted Sectors: Electronic, Telecoms, Technology
Country of Origin: 🇨🇳 China
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- SHIPSHAPE
- CrossRat
- BRIGHTCREST:
- SWEETCOLA:
- SPIRITBOX:
- PALEJAB:
- WIDERIM:
- WINVAULT:
- HAPPYSAD:
- BIRDWORLD:
- FARCRY:
- CYFREE:
- FULLSILO:
- HELLOTHEWORLD:
- HAZELNUT:
- GIF89A:
- SCREENBIND:
- SHINYFUR:
- TRUCKBED:
- LEOUNCIA:
- FREESWIM:
- PULLTAB:
- HIREDHELP:
- NEDDYHORSE:
- PITCHFORK:
- BRIGHTCOMB:
- ENCORE:
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] MITRE ATT&CK MITRE ATT&CK entry [2] NSA APT5 Citrix Threat Hunting December 2022 [3] Microsoft East Asia Threats September 2023 [4] Mandiant Pulse Secure Zero-Day April 2021 [5] Mandiant Pulse Secure Update May 2021 [6] FireEye Southeast Asia Threat Landscape March 2015 [7] Mandiant Advanced Persistent Threats