Red Apollo and Operation Cloud Hopper
This group stole intellectual property and confidential data from 12 countries
Technology theft campaign
Beginning in 2006, Red Apollo began an informtion theft campaign targeted at US government agencies, defence OEMs, and other corporations active in the areas of aviation, space and satellite technology, manufacturing, pharmaceuticals, oil & gas, communications, and microprocessors.
Spearphishing
They accomplished this using a technique called spearphishing. This uses targeted emails that are designed to make the victim believe they are legitimate, often improving chances of success by utilising personal information or other information that lends credibility to the email. The objective is to get the victim to click a link or open an attachment, either of which executes malicious code on the victim’s computer.
Famous examples of spearphishing attacks include the December 2015 cyberattack on 3 electricity distribution companies in Ukraine. The power grid was taken down in the attack. The attackers gained access to Kyivoblenergo, Prykarpattyaoblenergo, and Chernivtsioblenergo through a spearphishing email, then attacked their SCADA systems and disconnected more than 30 substations. The attack left hundreds of thousands of consumers without power for 1 to 6 hours.
Red Apollo used emails that demonstrated familiarity with the victim’s organisation and business. In one case, the email appeared to come from an employee of a communications technology company and was addressed to a employees of a company involved in helicopter manufacturing. The subject of the email was “C17 Antenna problems”, and the attachment was labelled “12-204 Side Load Testing.doc”.
Remote access
Once the employee opened the attachment, malicious code inside it installed a Remote Access Trojan on the employee’s computer, giving Red Apollo unhindered access. Red Apollo then stole credentials and gained access to the company’s networks. They also downloaded more malware, compromising those computer systems even further.
Working their way through the company’s network, Red Apollo would identify data of interest, organise it in encrypted archives, and exfiltrate it to their own systems. Once exfiltration was complete, Red Apollo would delete the archives from the victim’s computers, covering their tracks and making it difficult to assess what had been stolen.
During the course of this campaign, Red Apollo compromised more than 90 computer systems, and stole hundreds of gigabytes of data. Their victims included the NASA Goddard Space Center, NASA’s Jet Propulsion Laboratory, many aviation and defence OEMs, companies involved in communications technology, and a host of other manufacturing and technology companies.
Operation Cloud Hopper
In 2014, Red Apollo took its activities up a notch. Using the same spearphishing tactics that had yielded such brilliant results in the technology theft campaign, Red Apollo targeted a Managed Service Provider based in New York State.
A managed service provider (MSP) is a third-party company that remotely manages a customer's information technology (IT) infrastructure and end-user systems. —TechTarget
Once Red Apollo had gained access to MSP computers, it stole administrator credentials and used those credentials and Remote Desktop Protocol connections to gain access to computer systems and networks belonging to the MSP’s client organisations.
Once inside client systems, Red Apollo identified data of interest, organised it in encrypted archives, exfiltrated those archives, and removed all traces of its activities. Its geographical spread of victims was wider this time, with companies and entities in at least 12 countries — United Kingdom, United States, Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea and Australia — targeted through Operation Cloud Hopper.
Red Apollo also managed to compromise 40 computer systems belonging to the United States Navy, and stole records relating to 130,000 US Navy personnel. Data stolen included names, social security numbers, salary information, personal phone numbers, and email addresses.
Red Apollo
Red Apollo is also known as APT10, MenuPass, Stone Panda, and POTASSIUM. It is a Chinese state-sponsored cyberespionage group that operates under the name Huaying Haitai Science and Technology Development Company, and reports to the Tianjin State Security Bureau of the Ministry of State Security.
The United States indicted two individuals from Red Apollo, Zhu Hua and Zhang Shilong, on multiple charges for the technology theft campaign and Operation Cloud Hopper in 2018.
The indictment can be accessed here (PDF file).
Have you read my spy novels? The highly acclaimed Let Bhutto Eat Grass series narrates a thrilling saga of nuclear weapons espionage in India, Pakistan, and Europe during the Cold War.