On December 20, 2018 the US Department of Justice indicted two Chinese nationals on charges of computer hacking, conspiracy to commit wire fraud, and aggravated identity theft. The two are alleged members of a hacking group known as menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium) which according to the indictment, allegedly carried out the illegal activity at the behest of the Chinese Ministry of State Security. The charges in the indictment stem from a lengthy attack campaign called Operation Cloud Hopper that began in 2014 which largely targeted Managed Security Providers (MSPs) to not only steal MSP and clients’ intellectual property but also leverage the networks for further attacks. The US-Cert also published two advisories, TA17-117A and TA18-276B. The first details the activity and the second contained protection, detection, and remediation advice for MSPs and customers.
The compromised organizations were located around the world in industries such as banking and finance, healthcare and medical equipment, government, aerospace, defense, telecommunications, and consumer electronics. menuPass’ hacking activity started as early as 2006 and continues to this day; they have shown a marked interest in Japan since 2014.
The group has been active since approximately 2006 and has targeted healthcare, defense, aerospace, and government sectors around the world, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university.
Unit 42 is releasing all IOCs we have associated with menuPass in an effort to provide defenders with an extensive list of their malware and attack infrastructure. We are also publishing a menuPass Playbook based on activity from late 2016. The described attacks took place during the timeframe pointed out by the US Department of Justice and match the TTPs described in the indictment.
For Palo Alto Networks customers, all of the malware and infrastructure is correctly marked as malicious within our platform. All of the domains, samples, and C2 infrastructure are flagged as malicious, as appropriate, within Threat Prevention, WildFire, Traps, and PAN-DB.
AutoFocus customers can further investigate this activity using the following tags:
The below malware families are used by multiple groups, so their presence in a network is not necessarily related to menuPass. However, if found it indicates a possible network intrusion and should be investigated.