The attribution to APT10 was made jointly by the companies Rapid7 and Recorded Future, with the latter releasing a blog post overnight which said the campaign in question had targeted at least three American firms and a Norwegian firm known as Visma, a managed services provider and a client and supplier of Recorded Future.
The blog post said an international apparel company and an American legal firm were also targeted, with the campaign having been uncovered between November 2017 and September 2018. The incident was said to be related to the US charging two Chinese men with infiltrating a number of managed service providers and other organisations in the US.
This activity is not APT10. It is all APT31 (or ZIRCONIUM) in our terms. The C2 domains that you mention were all registered and the threat actors made subsequent changes in specific ways that we attribute (with other information) to ZIRCONIUM.— bk (@bkMSFT) February 6, 2019
"Based on the technical data uncovered, and in light of recent disclosures by the US Department of Justice on the ongoing activities of Chinese state-sponsored threat actors, we assess with high confidence that these incidents were conducted by APT10 (also known as Stone Panda, menuPass, CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage," Recorded Future claimed.
"This activity is not APT10. It is all APT31 (or ZIRCONIUM) in our terms. The C2 domains that you mention were all registered and the threat actors made subsequent changes in specific ways that we attribute (with other information) to ZIRCONIUM," he wrote.
"ZIRCONIUM has registered 50+ C2 domains in this same manner you mention. Swiftydns\.com nameserver (initially) then topdns\.com soon after. This has gone on for a few years...When the sub-domains are created for these C2's they _typically_ resolve to IP's that are allocated to a VPS reseller named 'CrownCloud'.
I think you're missing the point. You guys have been throwing "High Confidence" around pretty loosely. pic.twitter.com/4JPXGUzR2Y— Ben Goerz (@bengoerz) February 6, 2019
"Usually when you find one C2 for ZIRCONIUM you can find several by hunting the allocated netblocks for the provider and joining in other data. You'll find more ZIRCONIUM if you use this methodology against the C2s you listed."
Recorded Future's confidence about attribution was also questioned by another researcher. Ben Goerz who wrote: "I think you're missing the point. You guys have been throwing 'High Confidence' around pretty loosely."
Recorded Future, which has close links with In-Q-Tel, the CIA’s investment arm, and Google Ventures, responded to the tweets from bk, saying: "Appreciate your input. Definitely happy to collaborate and compare notes/data. Please check out this part of the report where we did caveat for a potential link."
The part of the report referred to was at the end of the blog post and said: "Based on available information, we assess that this intrusion was conducted by the group that is known as APT10. However, during the course of this investigation, we have had privileged conversations that lead us to believe that in the future, portions of what is now known as APT10 will be recategorised as a new group. There is insufficient data at this time to make that distinction."