APT17 (Deputy Dog): A Persistent Chinese Cyber Espionage Threat
- Suspected Origin
- China
- Motivation
- Espionage, Financial Gain
- Aliases
- Deputy Dog
- Target Sectors
- Government, Defense, Legal, Information Technology, Mining, Healthcare, Telecommunications, Gaming, NGOs
- Associated Malware
- BLACKCOFFEE, 9002 RAT, Winnti, ShadowPad, PlugX, Cobalt Strike, ChinaChopper, Gh0st RAT, Poison Ivy
Overview
APT17, also known by the alias Deputy Dog (MITRE ATT&CK ID G0025), is a sophisticated, state-sponsored cyber espionage group originating from China. Our intelligence indicates that this group has been active since at least 2009 and is closely affiliated with the Chinese Ministry of State Security (MSS), specifically linked to the Jinan bureau. While some reporting has conflated APT17 with other notable groups like APT41 or the broader Winnti umbrella, APT17 maintains a distinct operational profile.
The primary motivation behind APT17’s activities is cyber espionage, focused on stealing sensitive information, intellectual property, and trade secrets to advance China’s economic and strategic interests. Although their main objective is espionage, they have also been observed engaging in financial theft and supply chain attacks. Their targeting is broad and strategic, encompassing U.S. government entities, the defense industry, aerospace and defense companies, law firms, information technology companies, mining corporations, and non-government organizations (NGOs). More recently, their focus has expanded to include healthcare, telecommunications, and even the gaming sector. Geographically, APT17 primarily targets organizations in the United States, Europe, and East Asia, with notable activity observed in Japan and recent campaigns in Italy.
Tactics & Techniques
APT17 employs a diverse arsenal of tactics, techniques, and procedures (TTPs) designed for stealth and persistence. Initial compromise often relies heavily on spear-phishing emails, frequently customized to specific targets and sometimes using lures such as “Game of Thrones” themes. They have a history of exploiting zero-day vulnerabilities in widely used software, a testament to their technical sophistication. Past examples include leveraging flaws in Microsoft’s Internet Explorer (e.g., CVE-2013-3893) and more recently, exploiting critical vulnerabilities such as CVE-2019-0708 (BlueKeep) and CVE-2020-0688 (Microsoft Exchange).
Beyond direct exploitation, APT17 also uses supply chain attacks and watering hole attacks, compromising legitimate websites frequented by their targets to distribute malware. A notable example of this was the 2017 CCleaner supply chain attack, where malware was delivered through legitimate software updates, exhibiting code similarities to APT17/Aurora malware.
For maintaining persistence and establishing command-and-control (C2), APT17 has shown ingenuity. They have been observed using a technique dubbed “hiding in plain sight” by leveraging legitimate online platforms. Specifically, in 2013, they used Microsoft’s TechNet blog to host encoded C2 infrastructure for their BLACKCOFFEE malware. They created bogus profiles and posted encoded C2 IP addresses within forum threads, using these as “drop-dead resolvers” to obfuscate their true C2 channels. This technique falls under MITRE ATT&CK techniques such as Acquire Infrastructure: Web Services (T1583.006) and Establish Accounts (T1585). Once inside, they utilize custom malware, backdoors, and Remote Access Trojans (RATs) to maintain long-term access. For data exfiltration, they typically employ encrypted channels, FTP, and legitimate cloud services to blend in with normal network traffic. Lateral movement within compromised networks often involves credential theft, Pass-the-Hash techniques, and further exploitation of network vulnerabilities.
Notable Campaigns
APT17 has been linked to several high-profile campaigns and incidents throughout its operational history:
- Operation Aurora (2009): This groundbreaking cyber espionage campaign notably targeted Google and other major technology and defense companies, employing the Hydraq (Aurora) Trojan horse.
- Operation DeputyDog (2013): This campaign leveraged zero-day vulnerabilities in Microsoft Internet Explorer, specifically CVE-2013-3893, and was observed targeting Japanese entities.
- Sunshop Campaign (2013): APT17 was observed injecting malicious redirects into various websites as part of this campaign.
- Community Health Systems Breach (2014) and U.S. Office of Personnel Management Breach (2015): The group has been linked to these significant data breaches, demonstrating their targeting of sensitive government and healthcare data.
- CCleaner Supply Chain Attack (2017): While attribution can be complex, code similarities strongly link APT17 to the compromise of Avast’s CCleaner software, which impacted millions of users and specifically targeted major technology firms like Cisco, Samsung, VMware, and Google with second-stage malware.
- Operation Cloud Hopper: Some reporting links APT17 to this large-scale campaign targeting Managed Service Providers (MSPs) to gain access to their global client networks.
- Italian Campaigns (June/July 2024): Most recently, APT17 has been actively targeting Italian companies and government entities through spear-phishing attacks. These campaigns involved malicious Office documents or links disguised as legitimate Skype for Business installers, delivering variants of the 9002 RAT malware.
Associated Malware & Tools
APT17’s toolkit is extensive and evolves, but several malware families and custom tools are consistently associated with the group:
- BLACKCOFFEE: A versatile backdoor, notably used in their TechNet C2 operations, capable of file and process operations and creating reverse shells.
- 9002 RAT (Hydraq, McRAT): A modular remote access Trojan used in Operation Aurora and, significantly, in their recent 2024 campaigns against Italian targets. It includes capabilities for network traffic monitoring, screenshotting, file enumeration, and process management, and can update itself, including diskless variants.
- Winnti: A well-known backdoor that is part of a broader malware umbrella and has been used in operations attributed to APT17, including Operation CuckooBees.
- ShadowPad: Another backdoor known for its modularity and frequently used by Chinese state-sponsored groups.
- PlugX: A common remote access Trojan favored by Chinese threat actors.
- Cobalt Strike: A legitimate penetration testing tool often co-opted by threat actors for post-exploitation activities, including lateral movement and C2.
- ChinaChopper: A popular web shell used for persistent access to compromised web servers.
- Other tools seen in their arsenal include Gh0st RAT and Poison Ivy, as well as several custom-developed backdoors.
Current Status
APT17 remains an Active and persistent threat. Recent intelligence confirms their continued operations in June and July 2024, demonstrating their ongoing cyber espionage activities against Italian companies and government organizations. This indicates their adaptive nature and willingness to evolve tactics, such as the continued updates to older malware like 9002 RAT, to bypass modern defenses. The group consistently displays a high level of technical skill and is well-resourced, posing a serious and enduring risk to a wide array of sectors globally. Organizations, especially those in government, defense, technology, and critical infrastructure, should maintain heightened awareness of APT17’s TTPs and regularly review their defensive postures against the techniques outlined here.
Related content
Axiom (G0001): Profile of a Sophisticated Chinese Cyber Espionage Group
Adversary ProfileMustang Panda (G0129): China-Aligned Cyber Espionage Group Profile
Adversary ProfilePittyTiger: Persistent Espionage from the Far East
Adversary ProfileAPT19: Persistent Chinese Cyber Espionage and Credential Theft
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call