Menu
Browse

Cyber Threat Actor: APT10

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
23 incidents
Profile

Stone Panda, also known as APT10, POTASSIUM, and Red Apollo, is a threat actor group that has been publicly linked to the Chinese government, with assessments tying its activities to officers of China’s Ministry of State Security and elements of Chinese military intelligence. The group has operated under multiple aliases in open‑source reporting and threat intelligence reports, reflecting its long‑running espionage focus. Attribution to Chinese state entities is explicitly cited in indictments and government advisories that describe the actors as working with, or under the acquiescence of, Chinese officials.

The group’s targeting, as described in the sources, spans a range of sectors and geographic regions with a clear emphasis on espionage and economic advantage. It has repeatedly targeted pharmaceutical and vaccine manufacturers in India to exfiltrate intellectual property for competitive advantage, as noted in reporting on the Serum Institute of India and Bharat Biotech incidents. Similar motives are described in Department of Justice statements that characterize the actors as seeking to steal trade secrets and degrade U.S. economic, technological, and military advantages. Beyond intellectual property theft, the actors have pursued strategic disruption, such as the spear‑phishing campaign against South Korean military officials involved in the THAAD missile defense deployment, which China publicly opposed. Their victim set also includes technology and cloud service providers, government agencies, non‑governmental organizations, defense contractors, and cloud‑based managed service providers, reflecting a broad interest in both governmental and private‑sector data that can serve state interests.

Observed tactics, techniques, and procedures include spear‑phishing emails with malicious attachments as an initial access vector, exploitation of publicly disclosed software vulnerabilities—including zero‑day flaws—before patches are applied, and the use of the ScanBox reconnaissance framework to harvest keystrokes and system information from compromised websites. The actors frequently exploit weak web servers, outdated web applications, and vulnerable content‑management systems to gain footholds. Once inside a network, they have employed stolen credentials to move laterally, deployed password‑stealing malware, and installed custom tools that allow remote command execution. For data exfiltration, they have compressed stolen files into archives and altered file extensions to evade detection, and have hidden malicious payloads in recycle bins. Their operations often involve compromising managed service providers or cloud infrastructure to pivot into client networks, a approach highlighted in the Cloud Hopper campaign and related advisories. Additionally, they have conducted reconnaissance that queries security, decompression, and virtualization products on victim systems to tailor further intrusion steps.

Representative campaigns illustrate the group’s scope and methods. The Cloud Hopper operation involved breaching major technology service providers such as IBM to access the networks of their downstream customers for the theft of corporate and government secrets over several years. In early 2021, the group was identified as targeting Indian vaccine manufacturers Serum Institute of India and Bharat Biotech, seeking to obtain vaccine‑related intellectual property amid the global pandemic. A 2019 compromise of a Pakistani government passport‑application portal deployed ScanBox to log visitor keystrokes and harvest system data without installing traditional malware. The same year, the Hong Kong branch of Amnesty International suffered a intrusion that exposed supporter names, identity numbers and contact details, an act attributed to Chinese state‑linked actors. Earlier, in 2017, spear‑phishing with weaponized attachments was used against South Korean military officials working on THAAD deployment, reflecting an attempt to disrupt a defense system opposed by China. The group has also been linked to intrusions into a Norwegian software firm as part of the Cloudhopper effort, where stolen credentials were used to attempt access to client secrets, and to a trade council’s website where reconnaissance tools were placed to gather intelligence on board members from major technology firms. These incidents collectively demonstrate a pattern of state‑aligned espionage, intellectual property theft, and strategic disruption conducted through a mix of social engineering, vulnerability exploitation, credential abuse, and supply‑chain compromise.

Incidents
Attributed incidents available to members
23 incidents
Sources
Sources available to members
9 sources