APT12

APT12, also known as Calc Team, is a cyber espionage group believed to be connected to the Chinese People's Liberation Army. The group primarily targets journalists, government entities, and the defense industrial base. Their preferred method of attack is phishing emails sent from legitimate but compromised accounts, delivering exploit documents that contain associated malware such as RIPTIDE, HIGHTIDE, THREEBYTE, and WATERSPOUT. APT12's activities align with broader strategic objectives of the People's Republic of China (PRC), indicating state-sponsored motivations. Recent campaigns have seen APT12 targeting organizations in Japan and Taiwan. Historically, APT12 has demonstrated resilience and adaptability in the face of public disclosures. For instance, following the public exposure of their intrusion at the New York Times, there was only a brief pause in the group's activity before they resumed operations, albeit with immediate changes in Tactics, Techniques, and Procedures (TTPs). FireEye, a cybersecurity firm, observed the use of HIGHTIDE malware across multiple Taiwanese organizations and the suspected APT12 WATERSPOUT backdoor at a Japan-based electronics company. This suggests a potential link between the WATERSPOUT campaign, the THREEBYTE campaign, and the HIGHTIDE campaign attributed to APT12. FireEye believes that APT12's shift from using RIPTIDE to HIGHTIDE represents a temporary measure to decrease malware detection while developing a new set of tools. Despite the adaptations following public disclosures, APT12 has returned to normal activity levels. As of now, the group continues to target organizations and conduct cyber operations using its updated toolkit. Given their past activities, it is expected that APT12 will continue to utilize phishing as a primary malware delivery method.