(Microsoft) In the past few years, Lead’s victims have included: • Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics • Pharmaceutical companies • A company in the chemical industry • University faculty specializing in aeronautical engineering and research • A company involved in the design and manufacture of motor vehicles • A cybersecurity company focusing on protecting industrial control systems During these intrusions, Lead’s objective was to steal sensitive data, including research materials, process documents, and project plans. Lead also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, Lead’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, Lead gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2015-03-05 by Joan Calvet from ESET Research
Actor: Lead
Names: Lead, TG-3279, Casper
Country: China
Sponsor: State-sponsored
Motivation: Information theft and espionage
First-seen: 2016
Description: (Microsoft) In the past few years, Lead’s victims have included: • Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics • Pharmaceutical companies • A company in the chemical industry • University faculty specializing in aeronautical engineering and research • A company involved in the design and manufacture of motor vehicles • A cybersecurity company focusing on protecting industrial control systems During these intrusions, Lead’s objective was to steal sensitive data, including research materials, process documents, and project plans. Lead also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, Lead’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, Lead gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.
Observed-sectors: Online video game companies
Observed-sectors: Pharmaceutical
Observed-sectors: Technology
Observed-sectors: Telecommunications
Observed-countries: Japan
Observed-countries: USA
Tools: Cobalt Strike
Tools: Winnti
Last-card-change: 2020-04-14
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |