20-Year-Old Chinese APT15: A Resurgent Threat Targeting Foreign Ministries

Cyber Espionage Campaign Targeting Foreign Ministries in the Americas

Introduction

In late 2022 to early 2023, a Chinese state-level threat actor known as APT15 conducted a sophisticated cyber espionage campaign targeting foreign ministries in North and South America. APT15, also known by various aliases such as Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon, has a history of targeting government organizations, diplomatic missions, and embassies for intelligence-gathering purposes. This latest campaign demonstrated the group’s evolving capabilities and strategic focus on the Americas region. Symantec researchers provided insights into APT15’s tactics, techniques, and tools used in the operation.

The Tools and Techniques Employed

APT15 utilized over a dozen tools, including both new and previously observed malware variants, to carry out their cyber espionage campaign. Key tools in their arsenal included Mimikatz, two variants of Mimikatz, four Web shells like AntSword and China Chopper, and CVE-2020-1472, a three-year-old vulnerability in the Windows server process Netlogon. These tools allowed the threat actors to carry out activities such as privilege escalation, command execution, and file manipulation on the compromised systems.

A notable addition to APT15’s toolkit was Graphican, a new variant of their Trojan backdoor platform. Graphican can be seen as an evolution of their previously used Ketrican Trojan, which itself was derived from their earlier model, BS2005. Graphican stands out as it abandons the typical hardcoded command-and-control (C2) server and instead uses Microsoft Graph, an API for Microsoft 365 services, to retrieve an encrypted server address from a OneDrive folder. Once established, Graphican enables the threat actors to create an attacker-controlled command line, spawn new processes, manipulate files, and download additional malware onto the victim’s machine.

APT15’s Motivations and Tactics

APT15, with a history dating back nearly two decades, has increasingly become a prominent player in recent years. Despite a coordinated infrastructure seizure by Microsoft’s Digital Crimes Unit in 2021, the group managed to reemerge with a spyware campaign targeting Uyghur populations. This resilience and adaptability highlight the challenges faced by defenders in dealing with sophisticated threat actors of this caliber.

The motivations behind APT15’s targeted cyber espionage campaigns remain largely undisclosed. However, it is evident that they have a specific interest in government organizations, diplomatic missions, and foreign affairs ministries. APT15 has demonstrated an ability to exploit various infection vectors, including phishing emails and the exploitation of public-facing applications. Additionally, the group has been known to exploit VPNs to gain initial access to victim networks. Understanding these tactics and potential attack vectors is crucial for organizations seeking to strengthen their security defenses against APT15 and similar threat actors.

Defending Against APT15 and Similar Threat Actors

Organizations concerned about APT15 and other advanced persistent threats should adopt a multi-layered approach to cybersecurity to mitigate the risks posed by these actors. It is imperative to maintain up-to-date security controls, including effective email filtering systems, strong network segmentation, timely patching of software vulnerabilities, and regular security awareness training for employees.

Given APT15’s reliance on known techniques and malware variants, defenders can leverage this predictability to their advantage. By validating security controls against known patterns and cycles used by the threat actor, organizations can improve their ability to detect and prevent attacks. Continuous monitoring of network traffic, analysis of behavioral anomalies, and leveraging threat intelligence feeds can provide crucial insights into APT15’s activities and enhance proactive defense measures.

Collaboration and coordination between governments, intelligence agencies, and private sector security firms also play a pivotal role in countering advanced persistent threats. Sharing threat intelligence and information regarding APT15’s tactics, techniques, and infrastructure can enable faster detection and response to future campaigns and help prevent further compromises.

Conclusion

The cyber espionage campaign conducted by APT15 against foreign ministries in the Americas highlights the evolving capabilities of state-sponsored threat actors and their determination to gather intelligence. APT15’s utilization of sophisticated tools like Graphican, along with their resilience in the face of coordinated disruptions, underscores the need for robust cybersecurity practices and collaboration among stakeholders.

To effectively defend against APT15 and similar threat actors, organizations must prioritize cybersecurity measures, employ proactive security controls, and remain vigilant for potential indicators of compromise or malicious activity. By understanding the tactics and tools employed by APT15, defenders can better anticipate and mitigate the risks posed by this persistent adversary.