Researchers claim that APT10, a likely China-based threat actor, is believed directly connected to the Chinese Ministry of State Security’s (MSS) Tianjin bureau. The allegations come from CrowdStrike which released a report Friday that claims it has found firm ties that link APT10 (or Stone Panda) with MSS, China’s equivalent of the National Security Agency.
The Chinese advanced persistent threat (APT) group APT10/Stone Panda, also known as CVNX and Red Apollo, has been around since 2013, and is alleged to be behind a slew of espionage campaigns targeting various countries including Japan, Canada and France.
In its report released Friday, CrowdStrike builds off research of the anonymous group IntrusionTruth, which has published several reports outing individuals and firms who are believed to be associated with Stone Panda. CrowdStrike researchers also factored another report by Recorded Future, published last year, on a separate APT group called Gothic Panda, or APT3 – also linked to MSS.
“It cannot be ignored that there are striking similarities between the entities associated with Gothic Panda and the actors and firms mentioned in the blogs about Stone Panda,” wrote CrowdStrike researcher Adam Kozy in a post Friday. He asserts that while evidence is inconclusive, there are enough links between the two APTs to suggest Stone Panda (like Gothic Panda) is tied to China’s MSS Tianjin bureau.
Kozy said his research could have interesting implications on U.S.-Chinese foreign relations. Still, Kozy is upfront about holes in IntrusionTruth’s report.
“Recently, in July and August 2018, IntrusionTruth has returned with new reporting regarding actors with ties to historic Stone Panda activity and has ultimately associated them with the MSS Tianjin Bureau,” he wrote. “Though CrowdStrike… is currently unable to confirm all of the details provided in these most recent posts with a high degree of confidence, several key pieces of information can be verified.”
Recent Believed Activity
Stone Panda’s biggest most two recent campaigns were in 2017. The first campaign was a massive operation called “Cloud Hopper,” which pinpointed managed security service providers in a range of countries – including Canada, France, South Africa, Australia, Japan, and India – and targeted sensitive data and intellectual property.
Separately, Stone Panda was also linked to “Operation TradeSecret,” an attack targeting several key private-sector players that were involved in lobbying efforts related to the U.S.’ foreign trade policy.
In 2017, PricewaterhouseCoopers said in an analysis that it believed Stone Panda had gained significant staffing and logistical resources over the past three years. IntrusionTruth named two individuals, Gao Qiang and Zhang Shilong, who may have been part of this staffing – the two were listed in connection with Stone Panda.
IntrusionTruth connected Gao Qiang to the moniker “fisherxp” which is from an initial spear-phishing campaign from 2010 previously attributed to Stone Panda, Kozy said.
Connecting Dots
Multiple sites with profile pictures appear to show the owner of the fisherxp accounts, though this has yet to be confirmed by CrowdStrike as Gao. IntrusionTruth later links Gao to several documented Uber rides to the MSS Tianjin Bureau’s office address, but CrowdStrike researchers said they could not confirm these Uber receipts.
What CrowdStrike could confirm, “however, fisherxp’s account on popular Chinese technology forum 51CTO is still active and shows that he has downloaded not only the open-source DarkComet RAT and numerous password cracking tools, but more importantly, several favorite tools used by a plethora of known Chinese cyber adversaries including Gh0st RAT 3.6, zxarps [an ARP-spoofing tool by legacy hacker LZX], and lcx.exe [a port-forwarding tool by legacy hacker LCX],” the Crowdstrike team said in their analysis.
Meanwhile, Zhang Shilong also has registered several sites with overlapping registrant details that show both his affiliation with several physical technology firm addresses as well as his residence in Tianjin. He also significant connections to known Chinese hacking forums, and has sourced tools currently in use by China-based cyber adversaries, Kozy said.
Crowdstrike said that Zhang has been actively registering domains as recently as June 2018, and in response to the IntrusionTruth blog posts by scrubbing his social media account.
Interestingly, “The MSS Tianjin Bureau is confirmed to be located at the described address, not far from many of the registrant addresses listed by Zhang as well the firms Gao was likely recruiting for,” said researchers.
Gao was using his Tencent QQ blog account to recruit for a science and technology development company, Huaying Haitai, which has also been linked to Stone Panda. The company has been connected to a Chinese Ministry of Industry and Information Technology (MIIT) sponsored attack and defense competition.
Researchers said Huaying Haitai has previously hired Chinese students with Japanese language skills; this is significant, as STONE PANDA has engaged in several campaigns targeting Japanese firms: “This is interesting considering Stone Panda’s extensive targeting of Japanese defense firms after this time period, but it is by no means conclusive evidence that the firm is connected to Stone Panda,” they said.
Alleged Western Intrusion
Kozy told Threatpost that CrowdStrike has tracked Chinese intrusion activity into western firms by suspected contractors, including Gothic Panda, Stone Panda, Wicked Panda, Judgment Panda, and Kryptonite Panda. “Many of these adversaries have begun targeting supply chain and upstream providers to establish a potential platform for future operations and enable the collection of larger sets of data,” he said.
Kozy stressed again that there are still significant intelligence gaps that prevent CrowdStrike from making an assessment about Stone Panda’s potential connections to the MSS Tianjin Bureau “with a high degree of confidence.” However, he said, the exposure of Stone Panda as an MSS contractor would be a “blow to China’s current cyber operations.”
“While the APT1, PUTTER PANDA, and Operation CameraShy reports all exposed PLA units at a time when Chinese military hacking against western firms was rampant, the attention has now swung toward identifying MSS contractors,” Crowdstrike researchers said in its post, Friday. “The exposure of STONE PANDA as an MSS contractor would be another blow to China’s current cyber operations given Stone Panda’s prolific targeting of a variety of sectors, and may prompt an additional U.S. investigation at a tenuous time for Sino-U.S. relations during an ongoing trade war.”