Japan’s Industries Targeted by Hackers Employing Backdoors

Share this post
Share on twitter
Share on facebook
Share on email
Share on linkedin
APT10, also known as Stone Panda, Cicada, POTASSIUM, and Red Apollo, was found to be behind a series of cyberattacks targeting industry sectors in Japan as part of a large, long-running campaign against the Asian country.

APT10, also known as Stone Panda, Cicada, POTASSIUM, and Red Apollo, was found to be behind a series of cyberattacks targeting industry sectors in Japan as part of a large, long-running campaign against the Asian country.

By using novel malware, APT10 attacked companies deploying malicious backdoors in a sophisticated fashion. With these backdoors, the group aimed to extract sensitive data related to Japan’s industry sectors.

Not only organizations based in Japan were affected by this malicious campaign but also companies with links to Japan in more than 17 different countries.

Kaspersky’s Findings

These cyberattacks, recently disclosed as part of a multi-year campaign carried out by APT10, were using undocumented malware with the purpose of creating backdoors in infected networks. SodaMaster, P8RAT, and FYAnti payloads were identified as part of the arsenal.

This intel-gathering operation has been running for a few years now, existing evidence of its kickstart dated March 2019. The initial intrusion in victims’ networks occurred via SSL-VPN abuse, exploiting vulnerabilities or by simply using stolen credentials.

Kaspersky researchers pointed out that Ecipekac malware was used as a central asset all across the entire operation. This malware works by using four files to “load and decrypt four fileless loader modules one after the other”, this concluding with the upload of a final payload into the memory, according to the report.

It was also known that SodaMaster and P8RAT payloads, for example, were used to download and execute payloads in targeted systems. The FYAnti payload mentioned before was also employed. This one is a multi-layer loader module that deploys a QuasarRAT or xRAT final-stage remote access Trojan.

Threat Assessment

Suguru Ishimaru, one of the Kaspersky researchers involved in the findings, stated that the campaign carried out by APT10 was high-end work. “The operations and implants of the campaign (…) are remarkably stealthy, making it difficult to track the threat actor’s activities,” he said in the report.

Experts from Kaspersky agreed that the APT10’s campaign against Japanese industry organizations shows notable skill and sophistication, with stealth fileless implants, anti-VM, successful removal of activity tracks, and more.

The long-running campaign covering 17 different regions was definitely gathering intelligence with success. The sectors involved in the campaign that have been identified so far are managed service providers, automotive, pharma, and engineering.

However, this cyberespionage group, known under many other names by experts and official authorities, has been operating for a long time. There is evidence of espionage operations carried out by this group since 2009.

What is more notable is that the group has been officially linked to the Chinese government by US officials. In their track record, we can also see that APT10 is also known for their recurrent campaigns against Japanese organizations and high-profile individuals, so this new finding doesn’t reveal anything new about the group’s goals and motivations to target this country, especially understanding that they are backed by China. 

Share on twitter
Share on facebook
Share on email
Share on linkedin

More Articles by Julie Security

Juliesecurity Logo

Download a sample report

The best way to understanding our value is to see it with your own eyes. A risk assessment report is a powerful tool helping mitigate cybersecurity vulnerabilities.

Welcome to Julie Security

Map your OT and IoT assets. Monitor your networks. Protect your facility from cyber attacks. Do it with the Julie Security Intrusion Detection Platform.

By clicking the “Sign Up” button, you are creating a Julie Security account, and you agree to the
Terms of Use and Privacy Policy.