Security Market Segment LS
Thursday, 07 February 2019 09:41

Attribution of cyber campaign to APT10 questioned

Attribution of cyber campaign to APT10 questioned Pixabay

A security researcher has questioned the attribution of a cyber-espionage campaign to the group known as APT10, which has long been suspected to be operating with patronage from China, pointing out instead that the activity that had been classed as APT10 was more likely attributable to another group, APT31 aka Zirconium.

The attribution to APT10 was made jointly by the companies Rapid7 and Recorded Future, with the latter releasing a blog post overnight which said the campaign in question had targeted at least three American firms and a Norwegian firm known as Visma, a managed services provider and a client and supplier of Recorded Future.

The blog post said an international apparel company and an American legal firm were also targeted, with the campaign having been uncovered between November 2017 and September 2018. The incident was said to be related to the US charging two Chinese men with infiltrating a number of managed service providers and other organisations in the US.

"Based on the technical data uncovered, and in light of recent disclosures by the US Department of Justice on the ongoing activities of Chinese state-sponsored threat actors, we assess with high confidence that these incidents were conducted by APT10 (also known as Stone Panda, menuPass, CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage," Recorded Future claimed.

But the security researcher, who goes by the initials bk and claims to be an analyst at the Microsoft Threat Intelligence Centre, contested this.

"This activity is not APT10. It is all APT31 (or ZIRCONIUM) in our terms. The C2 domains that you mention were all registered and the threat actors made subsequent changes in specific ways that we attribute (with other information) to ZIRCONIUM," he wrote.

"ZIRCONIUM has registered 50+ C2 domains in this same manner you mention. Swiftydns\.com nameserver (initially) then topdns\.com soon after. This has gone on for a few years...When the sub-domains are created for these C2's they _typically_ resolve to IP's that are allocated to a VPS reseller named 'CrownCloud'.

"Usually when you find one C2 for ZIRCONIUM you can find several by hunting the allocated netblocks for the provider and joining in other data. You'll find more ZIRCONIUM if you use this methodology against the C2s you listed."

Recorded Future's confidence about attribution was also questioned by another researcher. Ben Goerz who wrote: "I think you're missing the point. You guys have been throwing 'High Confidence' around pretty loosely."

Recorded Future, which has close links with In-Q-Tel, the CIA’s investment arm, and Google Ventures, responded to the tweets from bk, saying: "Appreciate your input. Definitely happy to collaborate and compare notes/data. Please check out this part of the report where we did caveat for a potential link."

The part of the report referred to was at the end of the blog post and said: "Based on available information, we assess that this intrusion was conducted by the group that is known as APT10. However, during the course of this investigation, we have had privileged conversations that lead us to believe that in the future, portions of what is now known as APT10 will be recategorised as a new group. There is insufficient data at this time to make that distinction."


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments