APT17

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.S. government, international law firms, and information technology companies. This group conducts network intrusions against these organizations, demonstrating sophisticated capabilities in cyber espionage. APT17 has been active since at least 2010 and is known for its expertise in supply chain attacks, exemplified by Operation Aurora, one of the most advanced cyber attacks ever conducted. The group's activities came into sharper focus following the compromise of Piriform, a software company. During this attack, APT17 managed to sign and distribute altered versions of the popular CCleaner software to a vast customer base. Kaspersky and Intezer identified notable code similarities between the backdoor implanted in CCleaner and earlier APT17 samples, using Intezer Analyze™. This shared code, a unique implementation of base64 only seen in APT17 operations, strengthens the attribution to this threat actor. APT17 is believed to be part of a loosely connected network of private contractors operating on behalf of China’s Ministry of State Security (MSS). Both APT41/Barium and APT17 have historically used the Winnti malware family, which is associated with activity linked to multiple Chinese cyber espionage operators. The discovery of these connections and code similarities underscores the ongoing threat posed by state-sponsored cyber espionage campaigns like those conducted by APT17. Two developers have been identified as being associated with APT17, further highlighting the group's ties to the Chinese state-sponsored hacking ecosystem.
What's your take? (Question 1 of 4)
a5a98c2c-1673-4aee-8905-ceaa42e45f47 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Winnti
2
Winnti, also known as Starchy Taurus, APT41, Axiom, Barium, Blackfly, and HOODOO, is a prominent threat actor originating from China. The group has been active since at least 2007 and is notorious for its sophisticated cyberespionage campaigns. The group's activities have been linked to a shared Chi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZxShellhas used
2
ZXShell is a notorious malware, often associated with other malicious software such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, and STEW. It has been utilized by various Advanced Persistent Threat (APT) groups, including APT27 and APT20, for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2015-5119Targets
2
CVE-2015-5119 is a software vulnerability, specifically a flaw in the design or implementation of Adobe Flash. This vulnerability was discovered as part of the Hacking Team data breach that took place in 2015. In this leak, internal data of the Italian cybersecurity firm Hacking Team was exposed, in
Source Document References
Information about the APT17 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Operation Aurora: Supply Chain Attack Through CCleaner - Intezer
MITRE
a year ago
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
CERT-EU
a year ago
Sophisticated Merdoor backdoor long used in Lancefly APT attacks
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
CERT-EU
a year ago
Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs
MITRE
a year ago
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries | Mandiant
CERT-EU
7 months ago
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
CERT-EU
a year ago
Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU
a year ago
Шпионский код под Windows-системы госструктур и авиакомпаний оставался незамеченным пять лет