130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Information Security Centre (ISC)
    • Why we need a ISC
    • ISC Team Structure: Roles, Functions, and Tools
      • Key Function & Role
      • Tools & Platforms
        • Extended Detection and Response (XDR)
          • Scenario: DC Sync Attack Detected and Mitigated Using XDR
          • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained Using XDR
          • Scenario: Detecting and Mitigating a Ransomware Attack
      • People
      • Outsource Strategy
    • HRMC Executive Paper
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • APT41 (Winnti Group)
  • APT40 (Leviathan)
  • APT43

Was this helpful?

  1. Threat Intelligence
  2. Advanced Persistent Threat (APT) groups

Chinese APT Groups

PreviousNorth Korean APT GroupsNextRussian APT Groups

Last updated 5 months ago

Was this helpful?

APT41 (Winnti Group)

  • Affiliation: Chinese state-sponsored

  • Activities: Known for dual espionage and cybercrime operations, targeting healthcare, high-tech, telecommunications sectors, and the video game industry. Unique for its financially motivated activities alongside state-sponsored espionage.

  • Targets: Healthcare, high-tech, telecommunications, video game industry.

  • TTPs (Tactics, Techniques, Procedures):

    • Supply chain compromises:

    • Use of backdoors and RATs:

    • Financially motivated cybercrime activities:

    • Exploitation of software vulnerabilities:

    • Data exfiltration and intellectual property theft:

  • Notable Incidents:

    • Global Cyber Espionage: Targeting multiple industries, including the theft of intellectual property from healthcare, high-tech, and telecommunications sectors. APT41 used sophisticated techniques to gain access to sensitive data and research.

    • Video Game Industry Attacks (2020): Stealing in-game currency and intellectual property from major gaming companies. This involved compromising game servers and developer accounts.

    • US Healthcare Sector (2019): Targeted the US healthcare sector, stealing patient data and intellectual property related to medical research. APT41 used spear-phishing and malware to infiltrate healthcare organizations.

    • Global Universities (2020): Conducted cyber espionage against universities worldwide, stealing research data related to biotechnology and other advanced fields. APT41 used sophisticated malware to maintain persistent access.

    • US Gaming Industry (2021): Targeted the US gaming industry, stealing game source code and other valuable data. This operation involved the use of advanced malware and exploitation of vulnerabilities in gaming platforms.

APT40 (Leviathan)

  • Affiliation: Chinese Ministry of State Security (MSS)

  • Activities: Active since at least 2009, targeting governmental organizations, companies, and universities in industries such as biomedical, robotics, and maritime research. Known for stealing trade secrets and intellectual property.

  • Targets: Governmental organizations, biomedical, robotics, maritime research sectors.

  • TTPs:

  • Notable Incidents:

APT43

  • Affiliation: Chinese state-sponsored

  • Activities: Known for cyber espionage and targeting NGOs, private companies, and government organizations. Often involved in operations aligned with China's geopolitical interests.

  • Targets: NGOs, private companies, government organizations.

  • TTPs:

  • Notable Incidents:

Spear-phishing:

Exploitation of vulnerabilities:

Use of malware like PlugX and Winnti:

Data exfiltration:

Intellectual property theft:

Maritime Industry Targeting (2019): APT40 focused on naval and shipping companies, stealing sensitive information related to shipbuilding and maritime operations. This involved the use of spear-phishing and custom malware to infiltrate maritime organizations.

Academic Institutions (2020): APT40 conducted cyber espionage against academic institutions, focusing on research data related to biomedical and robotics fields. This involved the use of advanced malware and exploitation of software vulnerabilities.

Defense Contractors (2021): Targeted defense contractors, stealing information related to military technologies. APT40 used spear-phishing and custom malware to gain access to sensitive defense-related data.

Spear-phishing:

Use of RATs and backdoors:

Credential theft:

Network reconnaissance:

Data exfiltration:

South Korean Government Hack (2018): APT43 targeted the South Korean government, stealing sensitive political and military information. This operation involved sophisticated spear-phishing campaigns and the use of remote access tools to exfiltrate data.

South Korean Media Hack (2019): Infiltrated South Korean media organizations, aiming to influence public opinion by spreading propaganda and misinformation. APT43 used spear-phishing and custom malware to gain access to media networks.

South Korean Defense Contractors Hack (2020): Targeted South Korean defense contractors to steal information related to military technologies. APT43 used advanced malware and network reconnaissance techniques to achieve their objectives.

Operations in South China Sea (2020): APT43 targeted entities in the South China Sea region to support China's geopolitical interests, focusing on maritime research and defense-related information.

Supply Chain Compromise
Remote Access Software
Resource Development
Exploitation for Privilege Escalation, Exploitation for Defense Evasion
Exfiltration Over C2 Channel
Read more
Read more
Read more
Read more
Read more
Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
Exploitation for Privilege Escalation, Exploitation for Defense Evasion
Malware
Exfiltration Over C2 Channel
Exfiltration Over C2 Channel
Read more
Read more
Read more
Spearphishing Attachment, Spearphishing Link, Spearphishing via Service
Remote Access Software
Credential Dumping
Discovery
Exfiltration Over C2 Channel
Read more
Read more
Read more
Read more