Scroll Top

APT 10 Red Apollo: Unveiling the operations of a prolific Chinese State-sponsored cyberespionage group

In the ever-evolving landscape of cyber warfare, advanced persistent threat (APT) groups play a critical role in nation-state sponsored espionage and cyber attacks. One such group that has garnered significant attention is Red Apollo, also known by various aliases such as APT 10 or APT10 or APT-10, MenuPass, Stone Panda, and POTASSIUM. This Chinese state-sponsored cyberespionage group has been active since at least 2006 and has been associated with various high-profile cyber campaigns that target a wide range of industries and countries. In this article, we delve into the background, tactics, techniques, and notable operations of Red Apollo APT 10.

Background and attribution
Red Apollo APT 10 has been operating in the realm of cyber espionage for well over a decade. It is believed to be linked to the Tianjin State Security Bureau of the Ministry of State Security, a Chinese intelligence agency. This group has gained notoriety under various names, as different cybersecurity firms and government agencies have tracked its activities. The names include APT 10 (Mandiant), MenuPass (FireEye), Stone Panda (CrowdStrike), and POTASSIUM (Microsoft).

The Chinese state-sponsored nature of Red Apollo has been further emphasized by the involvement of two Chinese nationals, Zhu Hua and Zhang Shilong, who were indicted by the US Department of Justice in 2018 for their alleged role in APT10’s cyber espionage activities. This indictment marked a significant step in the international effort to combat state-sponsored cyber threats.

Tactics and Techniques
Red Apollo APT 10 employs a diverse range of tactics and techniques to achieve its espionage goals. These include:

1. Spear Phishing
The group relies on spear-phishing campaigns, often using lures related to industry-specific themes to trick recipients into opening malicious attachments or clicking on malicious links.

2. Supply Chain Attacks
APT10 has targeted managed service providers (MSPs) and used them as intermediaries to access client networks. This technique allows the group to target a broad range of industries and organizations through a single compromise.

3. Malware Arsenal
The group employs a wide array of custom and publicly available malware. Notable malware families include ScanBox, Quasar, PlugX, Poison Ivy, BugJuice, RedLeaves, and more.

4. Watering Hole Attacks
Red Apollo compromises websites likely to be visited by its targets, infecting these sites with malware to infect visitors’ systems.

5. DLL Hijacking and Process Hollowing
The group uses advanced techniques such as DLL hijacking and process hollowing to evade detection and maintain access to target networks.

6. Ransomware Deception
In a rare move, Red Apollo has been observed using ransomware attacks as decoys to obscure its true intent and activities.

Notable operations
Red Apollo APT 10 has been involved in several high-profile operations that highlight its sophisticated capabilities and global reach:

1. Operation Cloud Hopper (2014-2017)
This extensive cyber attack targeted managed service providers (MSPs) across multiple countries, including the UK, US, Japan, Canada, Brazil, and more. The group used MSPs as intermediaries to access client networks, stealing data from a variety of sectors.

2. US Navy Data Breach (2016)
Red Apollo gained access to records of around 130,000 US Navy personnel, highlighting the group’s interest in targeting government entities.

3. Vaccine Maker Intellectual Property Theft (2021)
The group targeted Bharat Biotech and the Serum Institute of India, attempting to steal intellectual property related to COVID-19 vaccines.

4. Ransomware Deception (2022)
Red Apollo used ransomware attacks as a cover to steal intellectual property from Western and Japanese organizations, showcasing its evolving tactics.

Mitigation and preparedness
Given the persistent and evolving nature of Red Apollo’s activities, organizations must adopt a proactive and multi-layered security approach to counter its threats. This includes:

1. Employee Training
Training employees to recognize and respond to phishing attempts can significantly reduce the risk of successful spear-phishing attacks.

2. Multi-Layered Security
Implementing multiple layers of security, including endpoint protection, intrusion detection and prevention systems, and firewalls, can help defend against various attack vectors.

3. Threat Intelligence
Staying updated with real-time threat intelligence is crucial for understanding the group’s evolving tactics and adapting defenses accordingly.

4. Behavior-Based Anti-Malware
Utilizing behavior-based anti-malware solutions can help detect and prevent the execution of malicious payloads.

5. Regular Updates and Patch Management
Ensuring that software and systems are up-to-date with the latest security patches is essential to mitigate vulnerabilities.

6. 24×7 Active Monitoring
Continuous monitoring of network activities can help detect and respond to any suspicious or unauthorized activities.

Conclusion
Red Apollo APT 10 stands as a testament to the persistence and adaptability of state-sponsored cyber espionage groups. Its extensive history of operations targeting a diverse range of industries and countries underscores the importance of a robust cybersecurity strategy for both government and private sector entities. By understanding Red Apollo’s tactics, techniques, and procedures, organizations can better prepare themselves to defend against the ever-evolving threat landscape posed by sophisticated APT groups like Red Apollo.

Indicators of compromise

SHA1

5df448af3f7935c3f4a2904b16af9ea00d13cb0c
46a9b419d73a518effbc19c3316d8a20cff9ce4a
Dbc48357bfbe41f5bfdd3045066486e76a23ad2d
B24e254f6fdd67318547915495f56f8f2a0ac4fe

d9efd4c4e1fb4e3d4a171c4ca0985839ad1cdee9 a413f4bcb7406710b76fabdaba95bb4690b24406 160320b920a5ef22ac17b48146152ffbef60461f 3246867705e8aad60491fe195bcc83af79470b22 ead02cb3f6b811427f2635a18398392bc2ebca3a 64f5044709efc77230484cec8a0d784947056022 a75e9b702a892cc3e531e158ab2e4206b939f379

MD5

F3355c8f43dada5a62aab60089c03d1e
B0175b09e58d34689a7403abed2ae2f5
577a47811b3c57a663bcbf2aab99c9e3
69ef2d7f9ed29840b60a7fd32030cbd1
f259765905cd16ff40132f35c85a862a
bde2a3c8e034d30ce13e684f324c6702
0c4a84b66832a08dccc42b478d9d5e1b
4c3c7053ec145ad3976b2a84038c5feb
a4a6abf4ed4c9447683fba729a17197b
809fcab1225981e87060033d72edaeaf
b16bb2f910f21e2d4f6e2aa1a1ea0d8b

SHA256

c7a515276883a03981accfac182341940eb36071e2a59e8fb6cb22f81aa145ae 5b5cd007fb96eef68d3d123eba82a4e4dfce50cdf3b05fe82bfa097870c09903 70225015489cae369d311b62724ef0caf658ffdf62e5edbafd8267a8842e7696 91f8805e64f434099d0137d0b7ebf3db3ccbf5d76cd071d1604e3e12a348f2d9 7fe5674c9a3af8413d0ec71072a1c27d39edc14e4d110bfeb79d1148d55ce0b6 f04f444d9f17d4534d37d3369bf0b20415186862986e62a25f59fd0c2c87562f 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b 15b52c468cfd4dee4599ec22b1c04b977416fbe5220ab30a097f403903d28a3a b0fb6c7eecbf711b2c503d7f8f3cf949404e2dd256b621c8cf1f3a2bdfb54301 62fea3942e884855283faf3fb68f41be747c5baa922d140509237c2d7bacdd17 8502852561fcb867d9cbf45ac24c5985fa195432b542dbf8753d5f3d7175b120

IP

45[.]124[.]115[.]103
185[.]225[.]19[.]17
94[.]158[.]245[.]249
5[.]252[.]179[.]227
222[.]186[.]151[.]141
47[.]111[.]22[.]65
114[.]55[.]109[.]199
185[.]225[.]17[.]39
43[.]254[.]216[.]104
45[.]124[.]115[.]103
161[.]82[.]181[.]4
43[.]254[.]219[.]153
154[.]223[.]141[.]36
103[.]139[.]2[.]93

SHA1

C96558312FBF5847351B0B6F724D7B3A31CCAF03 1403241C415A8D686B1148FA4229A2EB833D8D08 38D0E92AFF991CFC9C68D7BAAD6CB85916139AF5 AF978ED8AD37CE1437A6B42D96BF518D5C4CFD19 B70F3A3A9B5B8506EE95791469CA496E01AD7DAF 014421BDB1EA105A6DF0C27FC114819FF3637704 EA298866E5A61FEEA4D062987F23B10A78C8A4CA 021B9E2E8AA30B29569254C0378A9F43E4F32EEC 2A2F08FAD6B0A86DC94885224687D954E739CC21 3658B7CCA13C8C8AD03E9B6AEFE4B9CBE48E3C81 517488F6BD0E7FC9EDE82F37226A75212B277E21 C05B4AD7A3322917E17710842FB88A090198D51F DB2DF1BDF8145CB8ABA3A2026A3CC3EF4F1762BE EDE2AB811311FC011B1E89C5A0B7A60C123B7398 7AA35BA7030AFCD271436DE8173D7B2F317A1BFC A5C02ABE698300F3DE0B7CC7F0856652753831DA 613C4AFAE8F5F80F22DCD1827E3230FCA361ADA5 859CD6DFDADAB3D6427C6C1C29581CB2094D648F DBEA7F0C0D2BF8BC365A2D1572CA1538FE8FB9A3 ADD5B4FD9AEA6A38B5A8941286BC9AA4FE23BD20 7BA42061568FF6D9CA5FE5360DCE74C25EA48ADA D81215890703C48B8EA07A1F50FEC1A6CA9DF88B F359D3C074135BBCA9A4C98A6B6544690EDAE93D 621B31D5778EC2FB72D38FB61CED110A6844D094 BC11DC8D86A457A07CFE46B5F2EF6598B83C8A1F C369E1466F66744AA0E658588E7CF2C051EE842F B868764C46BADC152667E9128375BA4F8D936559 BDECA89B4F39E6702CE6CBBC9E6D69F6BBAB01C8 5379FBB0E02694C524463FDF7F267A7361ECDD68 6CC6170977327541F8185288BB9B1B81F56D3FD0 D95185A4A3F8512D92F69D2ED7B8743638C54BE8 BE7F0E41CD514561AED43B07AA9F5F0842BF876C 7F663F50E9D6376715AEB3AB66DEDE038258EF6C BEDA1224B3BB9F98F95FF7757D2687F4D9F4B53A 2B61E7C63A0A33AAC4CF7FE0CEB462CF6DACC080 EF3C796652141B8A68DCCF488159E96903479C29 6B547C244A3086B5B6EA2B3A0D9594BBE54AE06B 4CDCE3AF614C2A5E60E71F1205812AB129C0955B

Filenames

setlangloc[.]dll
hidmouse[.]sys
winver32[.]dll
hhh[.]exe
winver64[.]dll
phx[.]dll
libcurl[.]dll
meterpreter[.]exe
responsor[.]dat
OnKeyToken_KEB[.]dll
m[.]exe qrt[.]dll
qrt[.]dll[.]usb
sll[.]exe
PresentationCache[.]exe
HTra[.]exe
HTran13[.]exe
event[.]exe
htran[.]exe
htran_f-secury[.]exe
inbt[.]zip
msd017[.]exe

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.