Also known as: UPS

First known appearance: 2014

Threat Actors: Undisclosed (based in China)

Targets: Companies in the energy, aerospace and defense, construction and engineering, high-tech, telecommunications and transportation sectors

Objective: Undisclosed

Overview: APT3 leverages zero-day vulnerabilities in widespread but infrequent phishing campaigns. The recent use of known exploits, social engineering and more frequent attacks implies a possible shift in strategy and possibly a lack of access to further zero-day exploits. Regardless, APT3 has been identified as the main actor behind a major attack campaign called Operation Clandestine Fox.

Associated malware: Shotput, CookieCutter, PlugX/Sogu

Typical attack vectors: APT3 is primarily known for sending out spear-phishing messages that contain a compressed executable attachment. The attackers leveraged multiple exploits to target CVE-2014-6332 and CVE-2014-4113.


World political