APT5

Threat Actors · APT5

· ATT&CK GroupG1023

Mulberry TyphoonMANGANESEBRONZE FLEETWOODKeyhole PandaUNC2630

Techniques

Software

Tactics

Aliases

Description

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)

Tactic Coverage

stealth (8)persistence (7)privilege escalation (5)discovery (4)credential access (3)execution (3)collection (3)initial access (3)lateral movement (2)resource development (1)defense impairment (1)

Techniques Used (29)

T1003.001LSASS Memory

credential access

T1003.002Security Account Manager

credential access

T1021.001Remote Desktop Protocol

lateral movement

T1021.004SSH

lateral movement

T1036.005Match Legitimate Resource Name or Location

stealth

Registration Required

Create a free account to access full Threat Actor Techniques

Showing 5 of 29 results

✓ Personal dashboard✓ Track 1 vendor/product✓ 1 keyword alert✓ Weekly digest✓ 1 CSV export/month

Already have an account? Sign in →

Software Used (13)

S0002Mimikatztool S0039Nettool S1109PACEMAKERmalware S1108PULSECHECKmalware S1050PcSharetool S0012PoisonIvymalware S1113RAPIDPULSEmalware S1110SLIGHTPULSE

References (14)

https://attack.mitre.org/groups/G1023 https://web.archive.org/web/20220122121143/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf https://www.mandiant.com/resources/insights/apt-groups https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices https://www.secureworks.com/research/threat-profiles/bronze-fleetwood