ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > TA428

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: TA428

NamesTA428 (Proofpoint)
Panda (NTT)
ThunderCats (SentinelLabs)
CountryChina China
MotivationInformation theft and espionage
First seen2013
Description(Proofpoint) Proofpoint researchers initially identified email campaigns with malicious RTF document attachments targeting East Asian government agencies in March 2019. These campaigns originated from adversary-operated free email sender accounts at yahoo[.]co[.].jp and yahoo[.]com. Sender addresses often imitated common names found in the languages of targeted entities. Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions.

The lures used in the subjects, attachment names, and attachment content in several cases utilized information technology themes specific to Asia such as governmental or public training documents relating to IT. On one specific occasion an email utilized the subject “ITU Asia-Pacific Online CoE Training Course on ‘Conformity & Interoperability in 5G’ for the Asia-Pacific Region, 15-26 April 2019” and the attachment name “190315_annex 1 online_course_agenda_coei_c&i.doc”. The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries.

This actor worked together with Emissary Panda, APT 27, LuckyMouse, Bronze Union in Operation StealthyTrident.
ObservedSectors: Government and industrial plants, design bureaus and research institutes.
Countries: Afghanistan, Belarus, Mongolia, Russia, Ukraine and East Asia.
Tools used8.t Dropper, Albaniiutas, Cotx RAT, CoughingDown, PhantomNet, PlugX, Poison Ivy, TManger.
Operations performedMar 2019Operation “LagTime IT”
Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT.
Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns.
<https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology>
<https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger>
Jun 2020Operation “StealthyTrident”
ESET researchers discovered that chat software called Able Desktop, part of a business management suite popular in Mongolia and used by 430 government agencies in Mongolia.
<https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/>
<https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/>
Dec 2020China-linked TA428 Continues to Target Russia and Mongolia IT Companies
<https://www.recordedfuture.com/china-linked-ta428-threat-group/>
May 2021ThunderCats Hack the FSB
<https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/>
<https://blog.group-ib.com/task>
Jan 2022Targeted attack on industrial enterprises and public institutions
<https://securelist.com/targeted-attack-on-industrial-enterprises-and-public-institutions/107054/>
Information<https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology>
<https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf>
<https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/>

Last change to this card: 12 September 2022

Download this actor card in PDF or JSON format

Previous: TA413
Next: TA459

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]