A suspected state-sponsored Chinese threat actor that is known as APT 15 (FireEye) or Vixen Panda (Crowdstrike), and activity documented as Operation Ke3chang (FireEye and Palo Alto) has recently resurfaced again in conversations. The activity of this group was suspected to start as early as 2009. The first major public release of information on this threat actor was in FireEye’s “OPERATION KE3CHANG – Targeted Attacks Against Ministries of Foreign Affairs” whitepaper in 2014. In the whitepaper, FireEye detailed how spear phishing emails were used to install backdoors. The most discussed malware mentioned in the whitepaper was a BS2005 backdoor that has been used to trace back activity by the attacker over the years. In the attack, several broad sectors like aerospace, energy, government, and manufacturing, were mentioned as being targeted.
The next major publication of activity related to the actor came from Palo Alto in 2016. In the publication, it traced a new “TidePool” malware with many similarities to the previously used BS2005 malware. The targets in this attack were stated to be against Indian embassy personnel worldwide.
The most recent publication that has surfaced for an attack directly attributed to APT 15 is from the NCC Group, where the organization claims to have uncovered two previously unknown backdoors (RoyalDNS and RoyalCLI) that have similarities to BS2005. The attack which appeared to occur from May 2016 until late 2017, targeted UK government departments. The information regarding the breach was not published until March of 2018.
The next development that is surfacing now is from security researchers attempting to attribute the major 2018 US Navy Contractor hack to APT 15. In the attack, 614 gigabytes of material related to the US Navy’s “Sea Dragon” Project were stolen by attackers. Researchers are drawing conclusions around an updated backdoor known as MirageFox (again with similarities to the BS2005 malware), and state that this may have been used in the compromise. At this time, based on reviewed intelligence from Intezer and other firms, Proficio believes with that these claims are loose associations and only speculative at this time. Additional future information may attribute to the hack with APT 15 as well.
The Proficio Threat Intelligence Recommendations:
- Implement phishing training for employees
- Have a procedure to have employees forward suspicious emails to security operations for analysis
FireEye Analysis from 2014 – Click Here
Palo Alto Analysis from 2016 – Click Here
Intezer’s MirageFox Analysis from 2018 – Click Here