APT5 | APT Profile

Description

[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://attack.mitre.org/groups/G1023) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)

Techniques Used (TTPs)

T1059.001 — PowerShell (execution)
T1136.001 — Local Account (persistence)
T1070.006 — Timestomp (defense-evasion)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1654 — Log Enumeration (discovery)
T1583.005 — Botnet (resource-development)
T1562.006 — Indicator Blocking (defense-evasion)
T1074.001 — Local Data Staging (collection)
T1554 — Compromise Host Software Binary (persistence)
T1056.001 — Keylogging (collection, credential-access)
T1078.004 — Cloud Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1560.001 — Archive via Utility (collection)
T1003.001 — LSASS Memory (credential-access)
T1003.002 — Security Account Manager (credential-access)
T1070.004 — File Deletion (defense-evasion)
T1098.007 — Additional Local or Domain Groups (persistence, privilege-escalation)
T1057 — Process Discovery (discovery)
T1070 — Indicator Removal (defense-evasion)
T1053.003 — Cron (execution, persistence, privilege-escalation)
T1059.003 — Windows Command Shell (execution)
T1021.004 — SSH (lateral-movement)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1505.003 — Web Shell (persistence)
T1049 — System Network Connections Discovery (discovery)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1070.003 — Clear Command History (defense-evasion)
T1083 — File and Directory Discovery (discovery)
T1190 — Exploit Public-Facing Application (initial-access)

Total TTPs: 29

Malware & Tools

Malware: PACEMAKER, PULSECHECK, PoisonIvy, RAPIDPULSE, SLIGHTPULSE, SLOWPULSE, Skeleton Key, gh0st RAT

Tools: Mimikatz, Net, PcShare, Tasklist, netstat

← Return to Home ← Back to APT Search