Cyber Incident Victim: APT17
Date:
Jan 2010
Location:
China
Summary
APT17, a cyber-espionage group linked to China's Ministry of State Security via its Jinan bureau, was exposed by Intrusion Truth, an anonymous cybersecurity collective. The group identified three individuals operating as contractors for the ministry, alleging they conducted on-demand hacking operations from Jinan. This revelation followed Intrusion Truth's prior successful doxing of Chinese state-linked APT groups APT3 and APT10, which led to U.S. Department of Justice indictments. The exposure reinforced established patterns of Chinese state-sponsored cyber operations, though Chinese hacking activities reportedly continued despite previous indictments and naming efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Intrusion Truth, an anonymous collective of cybersecurity analysts, publicly identified three individuals associated with the advanced persistent threat group APT17 in July 2019, marking their third such exposure of Chinese state-linked hacking entities since 2017. The group alleged these individuals operated through four Chinese companies based in Jinan, Shandong province, while serving as contractors for the Jinan bureau of China's Ministry of State Security (MSS). APT17—also tracked under the aliases Deputy Dog and Axiom by cybersecurity firms—had been implicated in coordinated cyberespionage campaigns dating back to the early 2010s. Intrusion Truth specifically linked the doxed individuals to conducting on-demand hacking operations for the MSS bureau. This revelation followed the group's prior successful identifications of APT3 members in May 2017 and APT10 members in August 2018, both of which resulted in U.S. Department of Justice indictments against named individuals in November 2017 and December 2018 respectively. The Jinan connection reinforced existing industry suspicions about regional MSS bureaus contracting private entities for cyber operations.
The 2019 APT17 disclosure generated less skepticism than Intrusion Truth's initial 2017 APT3 exposure, which cybersecurity firm Recorded Future later independently verified prior to DOJ action. This pattern of validation established Intrusion Truth's credibility within the threat intelligence community, shifting focus from questioning their methods to anticipating potential legal consequences. Media reports contemporaneous with the APT17 doxing indicated ongoing Chinese cyber operations targeting entities in France and Germany, suggesting prior indictments and naming tactics had not deterred adversary activity. The repeated correlation between Intrusion Truth's disclosures and subsequent U.S. legal actions created expectations that the APT17 revelations might prompt another DOJ response, though no indictments were confirmed in the immediate aftermath. Historical context showed these exposures consistently tied APT groups to specific MSS regional offices and their contractors, with Jinan joining Guangdong's Boyusec (APT3) as identified operational hubs.