Unnamed groups: China

Description

These are reported APT activities attributed to a country, but not to an individual threat group.

Names

Name	Name-Giver
[Unnamed groups: China]	?

Country

• China

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2018

Observed Sectors

• Defense
• Government

Observed Countries

• Cambodia
• Japan
• Myanmar
• Netherlands
• Taiwan
• USA
• Worlwide

Tools

• COATHANGER

Operations

• 2018-01: China blamed for data theft from US Navy contractor https://www.zdnet.com/article/china-blamed-for-data-theft-from-us-navy-contractor/
• 2019-06: Mitsubishi Electric discloses security breach, China is main suspect https://www.zdnet.com/article/mitsubishi-electric-discloses-security-breach-china-is-main-suspect/
• 2020-02: China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5
• 2020-03: Unknown China-Based APT Targeting Myanmarese Entities https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
• 2020-10: China hacked Japan’s sensitive defense networks, officials say https://www.washingtonpost.com/national-security/2023/08/07/china-japan-hack-pentagon/
• 2021: Minority report: Fake human rights documents and websites used in cyberattacks targeting Uyghurs, a Turkic ethnic minority in China https://blog.checkpoint.com/security/minority-report-fake-human-rights-documents-and-websites-used-in-cyberattacks-targeting-uyghurs-a-turkic-ethnic-minority-in-china/
• 2022-01: News Corp discloses hack from ‘persistent’ nation state cyber attacks https://www.bleepingcomputer.com/news/security/news-corp-discloses-hack-from-persistent-nation-state-cyber-attacks/
• 2022-10: Amnesty International Canada breached by suspected Chinese hackers https://www.bleepingcomputer.com/news/security/amnesty-international-canada-breached-by-suspected-chinese-hackers/
• 2022-10: Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
• 2022-10: Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
• 2023: Ministry of Defence of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf https://english.ncsc.nl/latest/news/2024/june/10/ongoing-state-sponsored-cyber-espionage-campaign-via-vulnerable-edge-devices
• 2023-04: China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan https://www.trellix.com/blogs/research/china-taiwan-tensions-spark-surge-in-cyberattacks-on-taiwan/
• 2023-09: Chinese APT Targeting Cambodian Government https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/
• 2023-10: Likely China-based Attackers Target High-profile Organizations in Southeast Asia https://www.security.com/threat-intelligence/china-southeast-asia-espionage
• 2024-02: Hackers stole ‘sensitive’ data from Taiwan telecom giant: ministry https://www.france24.com/en/live-news/20240301-hackers-stole-sensitive-data-from-taiwan-telecom-giant-ministry

Counter Operations

• 2021-07: The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/
• 2024-05: Treasury Sanctions a Cybercrime Network Associated with the 911 S5 Botnet https://home.treasury.gov/news/press-releases/jy2375
• 2024-05: 911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation
• 2024-12: Treasury Sanctions Cybersecurity Company Involved in Compromise of Firewall Products and Attempted Ransomware Attacks https://home.treasury.gov/news/press-releases/jy2742
• 2025-03: Treasury Sanctions China-based Hacker Involved in the Compromise of Sensitive U.S. Victim Networks https://home.treasury.gov/news/press-releases/sb0042

Information

• https://go.recordedfuture.com/hubfs/reports/cta-2021-0727.pdf
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
• https://us-cert.cisa.gov/ncas/alerts/aa20-258a
• https://www.cisa.gov/uscert/ncas/alerts/aa22-279a
• https://go.recordedfuture.com/hubfs/reports/cta-2024-0320.pdf
• https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/MTAC-East-Asia-Report.pdf
• https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
• https://www.cyber.gc.ca/en/news-events/statement-peoples-republic-china-reconnaissance-canadian-systems
• https://www.sophos.com/en-us/content/pacific-rim
• https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
• https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/

Other Information

Uuid

e319c38c-1f2c-434b-b1b9-6457bc585bcd

Last Card Change

2025-04-21