APT 18, Dynamite Panda, Wekby
Description
Wekby was described by Palo Alto Networks in a 2016 report as: ‘Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of Hacking Team’s Flash zero-day exploit.’
This threat group has been seen since 2009.
APT 18 may be related to Night Dragon and/or Nitro, Covert Grove.
Names
| Name | Name-Giver |
|---|---|
| APT 18 | Mandiant |
| Dynamite Panda | CrowdStrike |
| TG-0416 | SecureWorks |
| Wekby | Palo Alto |
| Scandium | Microsoft |
| Satin Typhoon | Microsoft |
| Red Wraith | PWC |
| SILVERVIPER | ? |
Country
Sponsor
State-sponsored, PLA Navy
Motivation
- Information theft and espionage
First Seen
2009
Observed Sectors
- Aerospace
- Construction
- Defense
- Education
- Engineering
- Healthcare
- High-Tech
- Telecommunications
- Transportation
- Biotechnology
Observed Countries
Tools
Operations
- 2014-04: Community Health Systems data breach https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/ https://www.venafi.com/blog/infographic-how-an-attack-by-a-cyber-espionage-operator-bypassed-security-controls
- 2015-06: Attacks using DNS Requests as Command and Control Mechanism Method: Phishing with obfuscated variants of the HTTPBrowser tool. https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
- 2016-05: Attacks using DNS Requests as Command and Control Mechanism Target: Organizations in the USA. Method: Phishing with Pisloader dropper. https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
Mitre Attack
Other Information
Uuid
aa2f3420-e239-4b0c-9066-c6f5804de6a8
Last Card Change
2025-06-28