← All Threat Actors
Threat Actor Profile

APT5

BRONZE FLEETWOOD G1023 KEYHOLE PANDA MANGANESE Mulberry Typhoon Poisoned Flight TEMP.Bottle UNC2630
▲ High Threat
We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. APT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. In one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies
Origin China

Target Sectors

Electronic Telecoms Technology

Known TTPs

PowerShell
Local Account
Timestomp
Remote Desktop Protocol
Log Enumeration
Disable or Modify Tools
Botnet
Local Data Staging
Compromise Host Software Binary
Keylogging
Cloud Accounts
Archive via Utility
LSASS Memory
Security Account Manager
File Deletion
Additional Local or Domain Groups
Process Discovery
Indicator Removal
Cron
Windows Command Shell
SSH
Process Injection
Web Shell
System Network Connections Discovery
Domain Accounts
Match Legitimate Resource Name or Location
Clear Command History
File and Directory Discovery
Exploit Public-Facing Application

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD