Menu
Browse

Cyber Threat Actor: APT17

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
2 incidents
Profile

The threat actor known as APT17, also tracked under the aliases Elderwood and Deputy Dog, is believed to operate from China. Public reporting links the group to contractors working for the Jinan bureau of China's Ministry of State Security, as revealed by the Intrusion Truth doxing effort. This connection establishes a clear state‑sponsored affiliation for the actor. The aliases are used interchangeably in open‑source threat intelligence.

APT17’s observed targets include government agencies and vertical organizations that rely on region‑specific Japanese software. The actor’s campaigns have focused on exploiting zero‑day vulnerabilities in applications such as Sanshiro spreadsheets, Ichitaro word processors and SkySea Client View management tools. The primary objective of these intrusions appears to be cyber‑espionage, with data exfiltration as a consistent outcome. No public reporting attributes financial gain or destructive intent to the group’s activities.

Initial access is typically gained through spear‑phishing emails that carry malicious documents tailored to the victim’s locale. These documents leverage unpatched flaws in the targeted Japanese software to achieve remote code execution. Once execution is achieved, the actor deploys a suite of remote access tools, notably PlugX, Emdivi, Agtid, NodeRAT and Wali, to maintain persistence and move laterally. The tooling style emphasizes the use of lightweight, modular malware that can be updated via command‑and‑control infrastructure.

A representative campaign began in early 2014 and continued for multiple years, during which APT17 and an associated group, Bronze Butler, exploited zero‑day flaws in Japanese software to infiltrate numerous government and sector‑specific networks. The operation involved spear‑phishing with malicious Sanshiro, Ichitaro and SkySea files, leading to the installation of the aforementioned malware families for remote access and data theft. A separate public disclosure in 2010 identified three individuals as Jinan‑based contractors conducting on‑demand hacking for the Ministry of State Security, providing early insight into the actor’s structure. Together, these examples illustrate the actor’s long‑standing focus on espionage‑oriented intrusions against Japanese‑centric software environments.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source