Names APT 4 (Mandiant) APT 4 (FireEye) Maverick Panda (CrowdStrike) Wisp Team (Symantec) Sykipot (AlienVault) TG-0623 (SecureWorks) Bronze Edison (SecureWorks) Sodium (Microsoft) Salmon Typhoo (Microsoft) Country China China Sponsor State-sponsored, PLA Navy Motivation Information theft and espionage First seen 2007 Description (Trend Micro) Sykipot has a history of primarily targeting US Defense Initial Base (DIB) and key industries such as telecommunications, computer hardware, government contractors, and aerospace. Open source review of 15 major Sykipot attacks over the last 6 years confirm this. Recently, we encountered a case where Sykipot variants were gathering information related to the civil aviation sector. The exploitation occurred at a target consistent with their history, the information sought raises new interest. The intentions of this latest round of targeting are unclear, but it represents a change in shift in objectives or mission. Observed Sectors: Aerospace, Aviation, Defense, Government, Telecommunications. Countries: USA. Tools used Sykipot, XMRig. Operations performed Dec 2011 Are the Sykipot’s authors obsessed with next generation US drones? Jan 2012 Sykipot variant hijacks DOD and Windows smart cards Jul 2012 Sykipot is back Mar 2013 New Sykipot developments Sep 2013 Sykipot Now Targeting US Civil Aviation Sector Information 2015 A group dubbed APT4 is suspected to be behind a breach of an Asian airline company discovered in the second quarter of this year. Its attack style uses well-written and researched ‘spear-phishes’ with industry themes. The attacks were aimed at public key infrastructure targets. Oct 2018 The report also mentions some attacks conducted by APT4 which includes sending malicious emails to a blockchain gaming start-up last year and attacking a cryptocurrency exchange in June 2018. In last October, the group also used XMRig, a Monero cryptocurrency mining tool in the target’s computer. Information Last change to this card: 06 March 2024