Home Security Attribution of cyber campaign to APT10 questioned
Attribution of cyber campaign to APT10 questioned Pixabay

A security researcher has questioned the attribution of a cyber-espionage campaign to the group known as APT10, which has long been suspected to be operating with patronage from China, pointing out instead that the activity that had been classed as APT10 was more likely attributable to another group, APT31 aka Zirconium.

The attribution to APT10 was made jointly by the companies Rapid7 and Recorded Future, with the latter releasing a blog post overnight which said the campaign in question had targeted at least three American firms and a Norwegian firm known as Visma, a managed services provider and a client and supplier of Recorded Future.

The blog post said an international apparel company and an American legal firm were also targeted, with the campaign having been uncovered between November 2017 and September 2018. The incident was said to be related to the US charging two Chinese men with infiltrating a number of managed service providers and other organisations in the US.

"Based on the technical data uncovered, and in light of recent disclosures by the US Department of Justice on the ongoing activities of Chinese state-sponsored threat actors, we assess with high confidence that these incidents were conducted by APT10 (also known as Stone Panda, menuPass, CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage," Recorded Future claimed.

But the security researcher, who goes by the initials bk and claims to be an analyst at the Microsoft Threat Intelligence Centre, contested this.

"This activity is not APT10. It is all APT31 (or ZIRCONIUM) in our terms. The C2 domains that you mention were all registered and the threat actors made subsequent changes in specific ways that we attribute (with other information) to ZIRCONIUM," he wrote.

"ZIRCONIUM has registered 50+ C2 domains in this same manner you mention. Swiftydns\.com nameserver (initially) then topdns\.com soon after. This has gone on for a few years...When the sub-domains are created for these C2's they _typically_ resolve to IP's that are allocated to a VPS reseller named 'CrownCloud'.

"Usually when you find one C2 for ZIRCONIUM you can find several by hunting the allocated netblocks for the provider and joining in other data. You'll find more ZIRCONIUM if you use this methodology against the C2s you listed."

Recorded Future's confidence about attribution was also questioned by another researcher. Ben Goerz who wrote: "I think you're missing the point. You guys have been throwing 'High Confidence' around pretty loosely."

Recorded Future, which has close links with In-Q-Tel, the CIA’s investment arm, and Google Ventures, responded to the tweets from bk, saying: "Appreciate your input. Definitely happy to collaborate and compare notes/data. Please check out this part of the report where we did caveat for a potential link."

The part of the report referred to was at the end of the blog post and said: "Based on available information, we assess that this intrusion was conducted by the group that is known as APT10. However, during the course of this investigation, we have had privileged conversations that lead us to believe that in the future, portions of what is now known as APT10 will be recategorised as a new group. There is insufficient data at this time to make that distinction."

FREE SEMINAR

Site24x7 Seminars

Deliver Better User Experience in Today's Era of Digital Transformation

Some IT problems are better solved from the cloud

Join us as we discuss how DevOps in combination with AIOps can assure a seamless user experience, and assist you in monitoring all your individual IT components—including your websites, services, network infrastructure, and private or public clouds—from a single, cloud-based dashboard.

Sydney 7th May 2019

Melbourne 09 May 2019

Don’t miss out! Register Today!

REGISTER HERE!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Guest Opinion

 

Sponsored News

 

 

 

 

Connect