Menu
Browse

Cyber Threat Actor: APT10

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
0 incidents
Profile

APT10, also known by the aliases Stone Panda, POTASSIUM, Red Apollo, MenuPass and CVNX, is a threat actor group that operates from China and has been publicly linked to the Ministry of State Security, specifically the Tianjin State Security Bureau. The group has been active for more than a decade, conducting global computer intrusion campaigns that have been described in multiple government and industry reports as being carried out on behalf of the Chinese state. Its aliases appear in indictments, security alerts and research reports that consistently tie the activity to Chinese state‑sponsored espionage efforts.

The group’s strategic focus, as described in open sources, is the exfiltration of intellectual property and confidential business information to gain a competitive advantage for Chinese interests. It has targeted a wide range of sectors including aviation, satellite and maritime technology, industrial factory automation, automotive supplies, laboratory instruments, banking and finance, telecommunications and consumer electronics, computer processor technology, information technology services, packaging, consulting, medical equipment, healthcare, biotechnology, pharmaceutical manufacturing, mining and oil and gas exploration and production. In addition to broad industry targeting, APT10 has specifically pursued managed service providers as a means to reach the networks of their clients, and it has pursued technology companies and United States government agencies to steal data concerning various technologies. The motivation behind the intrusions against Indian vaccine makers such as the Serum Institute of India and Bharat Biotech has been explicitly described as the theft of intellectual property to obtain a competitive edge over Indian pharmaceutical firms.

The tactics, techniques and procedures attributed to APT10 in the sources include the use of stolen login credentials to gain initial access, as seen in the intrusion of the Norwegian software firm Visma. The group has also exploited weak web servers, vulnerable web applications and insecure content‑management systems to infiltrate the networks of targets such as Indian vaccine manufacturers. A central element of its approach is the compromise of managed service providers, which it then leverages to move into the customer networks of those providers, a supply‑chain technique highlighted in multiple alerts and reports. Additionally, APT10 has conducted a dedicated technology theft campaign that breached more than forty‑five technology companies and United States government agencies to collect data on aviation, space, satellite, manufacturing, pharmaceutical, oil and gas, communications, computer processor and maritime technologies, amassing hundreds of gigabytes of sensitive information.

Notable campaigns publicly associated with APT10 include the Cloud hopper operation, in which the group compromised technology firms and managed service providers across the globe despite a 2015 U.S.–China agreement to curb economic espionage. The group was also identified as the actor behind the targeting of Indian vaccine makers SII and Bharat Biotech, where it sought to exploit gaps in web‑facing infrastructure. Another publicly reported operation involved the compromise of Norwegian software company Visma, where stolen credentials were used to attempt to reach client systems for commercially‑sensitive information. Finally, APT10’s broader activity has included intrusions into United States government agencies and technology companies through the compromise of managed service providers, as well as the technology theft campaign that targeted a diverse set of high‑technology sectors and government entities. These activities collectively illustrate a sustained effort by the group to acquire valuable intellectual property and strategic information on behalf of its state sponsor.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
53 sources