APT17

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.S. government, international law firms, and information technology companies. This group conducts network intrusions against these organizations, demonstrating sophisticated capabilities in cyber espionage. APT17 has been active since at least 2010 and is known for its expertise in supply chain attacks, exemplified by Operation Aurora, one of the most advanced cyber attacks ever conducted. The group's activities came into sharper focus following the compromise of Piriform, a software company. During this attack, APT17 managed to sign and distribute altered versions of the popular CCleaner software to a vast customer base. Kaspersky and Intezer identified notable code similarities between the backdoor implanted in CCleaner and earlier APT17 samples, using Intezer Analyze™. This shared code, a unique implementation of base64 only seen in APT17 operations, strengthens the attribution to this threat actor. APT17 is believed to be part of a loosely connected network of private contractors operating on behalf of China’s Ministry of State Security (MSS). Both APT41/Barium and APT17 have historically used the Winnti malware family, which is associated with activity linked to multiple Chinese cyber espionage operators. The discovery of these connections and code similarities underscores the ongoing threat posed by state-sponsored cyber espionage campaigns like those conducted by APT17. Two developers have been identified as being associated with APT17, further highlighting the group's ties to the Chinese state-sponsored hacking ecosystem.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Winnti
2
Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
Deputy Dog
1
Deputy Dog is a threat actor group that conducts network intrusions against targeted organizations, with a suspected attribution to China. The group is also known as Tailgator Team or APT17 and has primarily targeted the U.S. government, international law firms, and information technology companies.
GREF
1
GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play s
Operation Aurora
1
Operation Aurora, also known as APT17, is a notorious malware operation that began in 2009 and is considered one of the most sophisticated cyberattacks ever conducted. It specializes in supply chain attacks, which are attempts to damage an organization by targeting less-secure elements in its supply
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Espionage
China
State Sponso...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZxShellhas used
2
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
AuroraUnspecified
1
Aurora is a type of malware designed to exploit and damage computer systems, often through suspicious downloads, emails, or websites. It has been used in a series of high-profile cyber-attacks over the years, with notable instances such as Operation Aurora in 2009, which targeted major technology co
MerdoorUnspecified
1
Merdoor is a powerful malware that has been in existence since 2018, according to Symantec. This backdoor is capable of installing itself as a service, keylogging, listening on local ports for commands, and communicating with its command and control (C&C) server using various methods such as HTTP, H
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LanceflyUnspecified
1
Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication secto
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2015-5119Targets
2
CVE-2015-5119 is a software vulnerability, specifically a flaw in the design or implementation of Adobe Flash. This vulnerability was discovered as part of the Hacking Team data breach that took place in 2015. In this leak, internal data of the Italian cybersecurity firm Hacking Team was exposed, in
Source Document References
Information about the APT17 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
MITRE
a year ago
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries | Mandiant
CERT-EU
a year ago
Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU
a year ago
Шпионский код под Windows-системы госструктур и авиакомпаний оставался незамеченным пять лет
MITRE
a year ago
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
Operation Aurora: Supply Chain Attack Through CCleaner - Intezer
CERT-EU
a year ago
Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs
CERT-EU
a year ago
Sophisticated Merdoor backdoor long used in Lancefly APT attacks