>samit_hota
Back to adversary profiles
G0005HighActive

APT12 (Numbered Panda) Profile: Persistent Chinese Cyber Espionage

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intelligence Gathering, Political Espionage, Industrial Theft, Narrative Control
Aliases
IXESHE, DynCalc, Numbered Panda, DNSCALC
Target Sectors
Governments, Media, High-Tech, Defense Industrial Base, Electronics Manufacturing, Telecommunications, Journalists
Associated Malware
IXESHE, AUMLIB, Etumbot, HIGHTIDE, THREEBYTE, WATERSPOUT, RapidStealer, IHEATE
#threat-actor#g0005

Overview

APT12, also tracked as Numbered Panda, IXESHE, DynCalc, and DNSCALC, is a sophisticated and persistent Chinese state-sponsored cyber espionage group, widely believed to be linked to the People’s Liberation Army (PLA). Active since at least 2009, this group has consistently pursued strategic intelligence collection aligned with the broader geopolitical objectives of the People’s Republic of China (PRC).

The primary motivation behind APT12’s operations is intelligence gathering and political espionage. This includes the collection of sensitive information from governments, military entities, and defense-adjacent industries, with a pronounced and sustained focus on Taiwanese and Japanese interests. The group also engages in technology theft from high-tech and electronics sectors and actively monitors media organizations that publish reporting unfavorable to the PRC leadership, indicating a strong interest in narrative control. Their campaigns have spanned a broad range of sectors and geographies, with known targets including entities in Germany, Japan, Taiwan, and the United States.

Tactics & Techniques

APT12 employs a range of advanced tactics to achieve its objectives, demonstrating a notable capacity for adaptation. Initial access typically relies on spear-phishing campaigns, where deceptive emails deliver malicious Microsoft Office documents and PDFs. These documents are carefully crafted to trick recipients into opening them, often exploiting known vulnerabilities in common software. Historical exploits leveraged by APT12 include Microsoft Office vulnerabilities (such as CVE-2009-3129 and CVE-2012-0158) and flaws in Adobe Reader and Flash (e.g., CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611). The group has also been observed using valid, but compromised, email accounts to send these phishing messages, increasing their credibility.

For defense evasion, APT12 is particularly adept at evolving its operations swiftly in response to public disclosures by security researchers. This “Darwinian” characteristic involves retooling their malware and infrastructure, modifying protocols, changing file paths, and altering network signatures to circumvent new detection capabilities. They have used techniques like the right-to-left override exploit to disguise malicious executable files as benign documents.

In terms of command and control (C2), APT12 has utilized blogs and WordPress for its C2 infrastructure. A distinctive technique employed by the group is dynamic DNS Calculation for C2 port determination, where they multiply the first two octets of an IP address and add the third to derive the C2 port. This method is effective in bypassing egress filtering designed to prevent unauthorized communications. They also leverage compromised servers as part of their C2 infrastructure and typically use Base64 encoding for communication between compromised machines and their C2 servers. Once inside a system, the group also focuses on discovery, collecting victim’s BIOS information, external IP addresses, and operating system details.

Notable Campaigns

APT12 has been associated with several significant cyber espionage campaigns over its operational history. One of its most recognized intrusions is the 2012-2013 breach of the New York Times. The attack commenced shortly before the newspaper published an investigative report detailing the substantial wealth accumulated by relatives of then-Premier Wen Jiabao. During this operation, APT12 infiltrated the New York Times’ network, exfiltrating corporate passwords for all employees and accessing the emails of journalists involved in the investigative piece. The activity was specifically centered on acquiring information related to the Wen family.

Another notable, albeit less detailed, incident involved APT12 targeting organizations during the 2011 Fukushima Reactor Incident, likely to gather intelligence related to cleanup and mitigation efforts. Beyond these specific incidents, APT12 has maintained a consistent pattern of campaigns targeting East Asian governments, particularly those of Taiwan and Japan, as well as electronics manufacturers and telecommunications companies. These sustained regional campaigns have frequently involved the deployment of their signature malware families like IXESHE and Etumbot.

A defining characteristic of APT12’s operational approach is its rapid retooling following public exposure. For instance, after Arbor Networks published a detailed analysis of the Etumbot backdoor in May 2014, APT12 swiftly responded by deploying a modified variant, which FireEye dubbed HIGHTIDE, incorporating altered protocols and evasion techniques to avoid detection. This pattern of adapting and evolving its toolset in response to security vendor publications was also observed after the New York Times breach, when the group updated its AUMLIB and IXESHE malware.

Associated Malware & Tools

APT12 has utilized a range of custom malware and tools throughout its history, many of which demonstrate their ability to evolve and avoid detection:

  • IXESHE: This is one of APT12’s earliest and most frequently observed backdoors, with activity traced back to at least 2009.
  • AUMLIB: Another key backdoor in their arsenal, which was reportedly updated following the public disclosure of the New York Times breach.
  • Etumbot (also known as RIPTIDE): A widely deployed backdoor that was a staple in many APT12 campaigns.
  • HIGHTIDE: This malware emerged as a direct evolution of Etumbot/RIPTIDE. APT12 deployed HIGHTIDE with significantly altered network protocols and file paths in an effort to evade detection after its predecessor was publicly analyzed.
  • THREEBYTE: This backdoor has been observed in campaigns targeting organizations in Taiwan and Japan, and some reports have linked its use to APT12.
  • WATERSPOUT: Discovered around 2014, WATERSPOUT is another backdoor that showed considerable operational overlap with APT12’s known activities, including similar targeting and delivery mechanisms.
  • RapidStealer: This is a credential-stealing malware associated with the group.
  • IHEATE: Another tool linked to APT12’s operations.
  • Exploit Kits: The group has leveraged exploit kits, such as the “Tran Duy Linh” kit, which specifically targeted vulnerabilities like CVE-2012-0158 in Microsoft Word documents.

Current Status

Despite a reduced frequency of explicit public reporting naming “APT12” in very recent campaigns compared to its more active periods in the early to mid-2010s, security vendors continue to characterize Numbered Panda (APT12) as a highly capable and persistent cyber-espionage group. The group’s demonstrated ability to consistently evolve its operations and retool its malware following public disclosures strongly suggests ongoing capability and adaptation rather than a cessation of activities.

APT12’s targeting remains aligned with enduring PRC strategic interests in East Asia, particularly concerning Taiwan and Japan. This persistent geopolitical context ensures that the underlying motivations for the group’s activities remain highly relevant. While specific recent campaigns may be publicly attributed to broader “China-nexus” activity or new aliases, the historical pattern of evolution indicates that the operational capabilities and objectives associated with APT12 are likely sustained. The overarching assessment from recent threat intelligence points to APT12 maintaining its posture as an active and dangerous threat actor in the cyber espionage landscape.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call