APT 4, Maverick Panda, Wisp Team

Description

(Trend Micro) Sykipot has a history of primarily targeting US Defense Initial Base (DIB) and key industries such as telecommunications, computer hardware, government contractors, and aerospace. Open source review of 15 major Sykipot attacks over the last 6 years confirm this.

Recently, we encountered a case where Sykipot variants were gathering information related to the civil aviation sector. The exploitation occurred at a target consistent with their history, the information sought raises new interest. The intentions of this latest round of targeting are unclear, but it represents a change in shift in objectives or mission.

Names

Name	Name-Giver
APT 4	Mandiant
APT 4	FireEye
Maverick Panda	CrowdStrike
Wisp Team	Symantec
Sykipot	AlienVault
TG-0623	SecureWorks
Bronze Edison	SecureWorks
Sodium	Microsoft
Salmon Typhoo	Microsoft

Country

• China

Sponsor

State-sponsored, PLA Navy

Motivation

• Information theft and espionage

First Seen

2007

Observed Sectors

• Aerospace
• Aviation
• Defense
• Government
• Telecommunications

Observed Countries

• USA

Tools

• Sykipot
• XMRig

Operations

• 2011-12: Are the Sykipot’s authors obsessed with next generation US drones? https://cybersecurity.att.com/blogs/labs-research/are-the-sykipots-authors-obsessed-with-next-generation-us-drones
• 2012-01: Sykipot variant hijacks DOD and Windows smart cards https://cybersecurity.att.com/blogs/labs-research/sykipot-variant-hijacks-dod-and-windows-smart-cards
• 2012-07: Sykipot is back https://cybersecurity.att.com/blogs/labs-research/sykipot-is-back
• 2013-03: New Sykipot developments https://cybersecurity.att.com/blogs/labs-research/new-sykipot-developments
• 2013-09: Sykipot Now Targeting US Civil Aviation Sector Information https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/
• 2015: A group dubbed APT4 is suspected to be behind a breach of an Asian airline company discovered in the second quarter of this year. Its attack style uses well-written and researched ‘spear-phishes’ with industry themes. The attacks were aimed at public key infrastructure targets. https://www.digitalnewsasia.com/digital-economy/asia-in-the-crosshairs-of-apt-attackers-fireeye-cto
• 2018-10: The report also mentions some attacks conducted by APT4 which includes sending malicious emails to a blockchain gaming start-up last year and attacking a cryptocurrency exchange in June 2018. In last October, the group also used XMRig, a Monero cryptocurrency mining tool in the target’s computer. https://mycryptomag.com/2019/08/08/cryptocurrency-firms-are-targets-of-state-sponsored-hacking-group-from-china/

Information

• https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/
• https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/

Other Information

Uuid

37543431-9ac9-488b-ad5a-eded5a6ff964

Last Card Change

2024-03-06