APT17

Threat Actor updated 3 months ago (2024-11-29T14:09:58.865Z)

Download STIX

Preview STIX

APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.S. government, international law firms, and information technology companies. This group conducts network intrusions against these organizations, demonstrating sophisticated capabilities in cyber espionage. APT17 has been active since at least 2010 and is known for its expertise in supply chain attacks, exemplified by Operation Aurora, one of the most advanced cyber attacks ever conducted. The group's activities came into sharper focus following the compromise of Piriform, a software company. During this attack, APT17 managed to sign and distribute altered versions of the popular CCleaner software to a vast customer base. Kaspersky and Intezer identified notable code similarities between the backdoor implanted in CCleaner and earlier APT17 samples, using Intezer Analyze™. This shared code, a unique implementation of base64 only seen in APT17 operations, strengthens the attribution to this threat actor. APT17 is believed to be part of a loosely connected network of private contractors operating on behalf of China’s Ministry of State Security (MSS). Both APT41/Barium and APT17 have historically used the Winnti malware family, which is associated with activity linked to multiple Chinese cyber espionage operators. The discovery of these connections and code similarities underscores the ongoing threat posed by state-sponsored cyber espionage campaigns like those conducted by APT17. Two developers have been identified as being associated with APT17, further highlighting the group's ties to the Chinese state-sponsored hacking ecosystem.

Description last updated: 2024-05-04T20:10:00.469Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Winnti is a possible alias for APT17. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such	3
GREF is a possible alias for APT17. GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play s	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The ZxShell Malware is associated with APT17. ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o	has used	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2015-5119 Vulnerability is associated with APT17. CVE-2015-5119 is a software vulnerability, specifically a flaw in the design or implementation of Adobe Flash. This vulnerability was discovered as part of the Hacking Team data breach that took place in 2015. In this leak, internal data of the Italian cybersecurity firm Hacking Team was exposed, in	Targets	2

Source Document References

Information about the APT17 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	20 days ago	China-linked APT group Winnti targets Japanese organizations
CERT-EU	a year ago	Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
MITRE	2 years ago	Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries \| Mandiant
CERT-EU	2 years ago	Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU	2 years ago	Шпионский код под Windows-системы госструктур и авиакомпаний оставался незамеченным пять лет
MITRE	2 years ago	Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
MITRE	2 years ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
MITRE	2 years ago	Operation Aurora: Supply Chain Attack Through CCleaner - Intezer
CERT-EU	2 years ago	Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs
CERT-EU	2 years ago	Sophisticated Merdoor backdoor long used in Lancefly APT attacks