China-based cyber espionage group APT10 has targeted a number of manufacturing companies and IT service providers in India, using both traditional and novel methods, as part of its systematic global hacking operations.

The cyber espionage group, also known as MenuPass Group, has targeted or compromised manufacturing companies in Japan and Northern Europe, a mining company in South America and multiple IT service providers worldwide, according to a study by US-based cyber security group FireEye. FireEye detected these activities across six continents in 2016 and 2017.

“IT services have been a core engine of India’s economic growth, with service providers here scaling the value chain to manage business-critical functions of top global organisations. Campaigns like this highlight risks, which all organisations should factor into their operations,” said Kaushal Dalal, Managing Director for India at FireEye.

However, the names of the Indian companies were not disclosed.

“We believe that the targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations,” FireEye said in a blog post.

FireEye has been tracking APT10 - which has have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan - since 2009.

This recent APT10 activity has included both traditional spear phishing and access victims’ networks through service providers (managed security providers), who have significant access to customer networks. Spear phishing is a fraudulent practice of sending e-mails ostensibly from a known or trusted sender to gain confidential information such as logins and passwords.

In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily, it added.


APT10 also unveiled new tools for its activities in 2016 and 2017. In addition to the continued use of SOGU (a Trojan horse that opens a back door on a compromised computer), it used malware such as HAYMAKER, SNUGRIDE, BUGJUICE and a customised version of the open source QUASARRAT. These new pieces of malware show that APT10 is devoting resources to capability development and innovation, it added.