Also known as: Ixeshe, DynCalc, DNSCalc, “Darwin’s favorite APT group”

First known appearance: 2012

Threat Actors: People’s Republic of China, China People’s Liberation Army

Targets: Western journalists, U.S. military contractors, Taiwanese and Japanese governments and Japanese technology companies, especially satellite and crypto technology firms

Objective: To maintain surveillance on media outlets that could impact the reputation of Chinese leaders and to collect intelligence on military technology companies in the United States, Japan and Taiwan.

Overview: More clandestine, discriminating and skilled than many other groups operating out of China, APT12 primarily targets journalists and military contractors from the United States and Pacific Rim. APT12 specializes in gathering highly specific information of interest to the Chinese government and military. APT12 follows news about itself and modifies its tools and techniques accordingly.

Associated malware: Riptide, Hightide, Threebyte, Waterspout

Typical attack vectors: APT12 typically uses spear phishing as its primary delivery method, sending emails that contain malicious links or attachments to employees of the targeted organization. If someone takes the bait, APT12 then installs multiple backdoors such as RIPTIDE.

RIPTIDE is a proxy-aware backdoor that communicates via HTTP to a hard-coded command-and-control (CnC) server. RIPTIDE’s first communication with its CnC server fetches an RC4 encryption key, which is used to encrypt all further communication. APT12 typically then installs custom software and remote access tools to search for and siphon targeted data.


World political