APT10, also known as Stone Panda, Cicada, POTASSIUM, and Red Apollo, was found to be behind a series of cyberattacks targeting industry sectors in Japan as part of a large, long-running campaign against the Asian country.
By using novel malware, APT10 attacked companies deploying malicious backdoors in a sophisticated fashion. With these backdoors, the group aimed to extract sensitive data related to Japan’s industry sectors.
Not only organizations based in Japan were affected by this malicious campaign but also companies with links to Japan in more than 17 different countries.
These cyberattacks, recently disclosed as part of a multi-year campaign carried out by APT10, were using undocumented malware with the purpose of creating backdoors in infected networks. SodaMaster, P8RAT, and FYAnti payloads were identified as part of the arsenal.
This intel-gathering operation has been running for a few years now, existing evidence of its kickstart dated March 2019. The initial intrusion in victims’ networks occurred via SSL-VPN abuse, exploiting vulnerabilities or by simply using stolen credentials.
Kaspersky researchers pointed out that Ecipekac malware was used as a central asset all across the entire operation. This malware works by using four files to “load and decrypt four fileless loader modules one after the other”, this concluding with the upload of a final payload into the memory, according to the report.
It was also known that SodaMaster and P8RAT payloads, for example, were used to download and execute payloads in targeted systems. The FYAnti payload mentioned before was also employed. This one is a multi-layer loader module that deploys a QuasarRAT or xRAT final-stage remote access Trojan.
Suguru Ishimaru, one of the Kaspersky researchers involved in the findings, stated that the campaign carried out by APT10 was high-end work. “The operations and implants of the campaign (…) are remarkably stealthy, making it difficult to track the threat actor’s activities,” he said in the report.
Experts from Kaspersky agreed that the APT10’s campaign against Japanese industry organizations shows notable skill and sophistication, with stealth fileless implants, anti-VM, successful removal of activity tracks, and more.
The long-running campaign covering 17 different regions was definitely gathering intelligence with success. The sectors involved in the campaign that have been identified so far are managed service providers, automotive, pharma, and engineering.
However, this cyberespionage group, known under many other names by experts and official authorities, has been operating for a long time. There is evidence of espionage operations carried out by this group since 2009.
What is more notable is that the group has been officially linked to the Chinese government by US officials. In their track record, we can also see that APT10 is also known for their recurrent campaigns against Japanese organizations and high-profile individuals, so this new finding doesn’t reveal anything new about the group’s goals and motivations to target this country, especially understanding that they are backed by China.