Names | Whitefly (Symantec) Mofang (Fox-IT) TEMP.Mimic (FireEye) Bronze Walker (SecureWorks) ATK 83 (Thales) SectorM04 (ThreatRecon) Superman (?) | |
Country | [Unknown] | |
Motivation | Information theft and espionage | |
First seen | 2012 | |
Description | (Fox-IT) Mofang is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries. | |
Observed | Sectors: Automotive, Critical infrastructure, Defense, Engineering, Government, Healthcare, Media, Telecommunications and weapon industries. Countries: Canada, Germany, India, Myanmar, Singapore, South Korea, USA. | |
Tools used | Mimikatz, Nibatad, ShimRAT, Termite, Vcrodat, Living off the Land. | |
Operations performed | Jul 2018 | Breach of SingHealth <https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J> <https://redalert.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/> |
Information | <https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf> <https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G0103/> <https://attack.mitre.org/groups/G0107/> |
Last change to this card: 30 December 2022
Download this actor card in PDF or JSON format
Previous: The White Company
Next: Wicked Spider, APT 22
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |