ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Chimera

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Chimera

NamesChimera (CyCraft)
CountryChina China
MotivationInformation theft and espionage
First seen2018
Description(CyCraft) For nearly two years, our team monitored several attacks that targeted Taiwan’s semiconductor vendors. We believe these attacks originated from the same threat actor – Chimera – as these attacks utilized similar tactics, techniques and even the same customized malware. The actor likely harvested various valid credentials via phishing emails or data breaches as their starting point to conduct their cyber attack on the vendors. Cobalt Strike was later used as their main RAT tool. To avoid detection, the Cobalt Strike RAT was often masqueraded as a Google Chrome Update. The RAT would then connect back to their C2 server. As these servers were in a public cloud server, it made it difficult to track. Subsequently, by compromising the AD server, the delicate malware – SkeletonKeyInjector – was invoked to implant a general key to allow LM, persistence and defense evasion. Although this malware was discovered for the first time, we have high confidence that these attacks were conducted by the same threat actor. Based on the stolen data, we infer that the actor’s goal was to harvest company trade secrets. The motive may be related to business competition or a country’s industrial strategy.
ObservedSectors: Aviation, High-Tech.
Countries: Netherlands, Taiwan and different geographical areas.
Tools usedCobalt Strike, SkeletonKeyInjector.
Operations performedLate 2017Hackers spent 2+ years looting secrets of chipmaker NXP before being detected
Late 2018Operation “Skeleton Key”
Oct 2019NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to passenger data from the airline industry.

Last change to this card: 30 November 2023

Download this actor card in PDF or JSON format

Previous: ChamelGang
Next: CIA

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]