ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > APT 18, Dynamite Panda, Wekby

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: APT 18, Dynamite Panda, Wekby

NamesAPT 18 (Mandiant)
Dynamite Panda (CrowdStrike)
TG-0416 (SecureWorks)
Wekby (Palo Alto)
Scandium (Microsoft)
CountryChina China
SponsorState-sponsored, PLA Navy
MotivationInformation theft and espionage
First seen2009
DescriptionWekby was described by Palo Alto Networks in a 2016 report as: ‘Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of Hacking Team’s Flash zero-day exploit.’

This threat group has been seen since 2009.

APT 18 may be related to Night Dragon and/or Nitro, Covert Grove.
ObservedSectors: Aerospace, Construction, Defense, Education, Engineering, Healthcare, High-Tech, Telecommunications, Transportation and Biotechnology.
Countries: USA.
Tools usedAtNow, Gh0st RAT, hcdLoader, HTTPBrowser, Pisloader, StickyFingers and 0-day exploits for Flash.
Operations performedApr 2014Community Health Systems data breach
<https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/>
<https://www.venafi.com/blog/infographic-how-an-attack-by-a-cyber-espionage-operator-bypassed-security-controls>
Jun 2015Attacks using DNS Requests as Command and Control Mechanism
Method: Phishing with obfuscated variants of the HTTPBrowser tool.
<https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop>
<https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html>
May 2016Attacks using DNS Requests as Command and Control Mechanism
Target: Organizations in the USA.
Method: Phishing with Pisloader dropper.
<https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0026/>

Last change to this card: 01 May 2020

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]