APT12 is a Chinese threat actor group with possible connections to the Chinese People’s Liberation Army. APT12 has successfully targeted various organizations in government, media, and high technology. They are also known as IXESHE, DynCalc, Numbered Panda, and DNSCALC. APT12 has more recently been targeting both Taiwan and Japan.
Early in 2013, APT12 was responsible for attacks on the New York Times. These attacks infiltrated their networks and computer systems and obtained and exfiltrated password data used by reporters and other employees. At the time, the attacks seemed to coincide with the New York Times investigation regarding the collection of billions of dollars by relatives of Wen Jiabao (then the Chinese prime minister). These APT12 attackers also broke into the email of the New York Times bureau chief David Barboza. David Barboza also wrote the reports on Wen’s relatives. Further, APT12 also targeted the New York Times South Asia bureau chief, who was previously the bureau chief in Beijing.
Ultimately the security team researching the attacks determined that APT12 had stolen the corporate passwords for every New York Times employee! This theft included employees both within and outside of the new room. Additionally, the hacking activity centered around finding information about the Wen family. Further, at this time, no data appeared to have been stolen.
Per the MITRE ATT&CK website, MITRE techniques used by APT12 include:
|Enterprise||T1568||.003||Dynamic Resolution: DNS Calculation||APT12 has used multiple variants of DNS Calculation,including multiplying the first two octets of an IP address and adding the third octet to that value to get a resulting command and control port.|
|Enterprise||T1203||Exploitation for Client Execution||APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).|
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.|
|Enterprise||T1204||.002||User Execution: Malicious File||APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachments sent via spearphishing|
|Enterprise||T1102||.002||Web Service: Bidirectional Communication||APT12 has used blogs and WordPress for C2 infrastructure.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.