Threat Management, Distributed Workforce, Risk Assessments/Management

State-backed Chinese APT group expands activity to more sectors, countries

Symantec reported observing a Chinese state-backed APT group attacking governments and NGOs. Pictured: The Chinese flag is raised inside a stadium during the opening ceremony of the Beijing 2022 Winter Paralympics at the Beijing National Stadium on March 4, 2022, in Beijing. (Photo by Lintao Zhang/Getty Images)

A Chinese state-backed advanced persistent threat group (APT) is attacking governments and non-governmental organizations (NGOs) around the world, Symantec reported on its threat intelligence blog Tuesday.

Symantec’s Threat Hunter Team reported that the Cicada campaign, aka APT10, was heavily focused on espionage-style operations as far back as 2009 and targeted Japanese-linked companies several years ago. It has recently been observed attacking managed service providers with a more global footprint.

Since mid-2021, victims of the APT’s current campaign — with the most recent activity observed in February — include those in a wide number of sectors, such as government-related institutions, NGOs in the education and religious fields, as well as telecoms, legal and pharmaceutical sectors in Europe, Asia and North America. 

The Threat Hunter Team said that initial activity is seen on Microsoft Exchange Servers to deploy various tools, such as a custom loader and the Sodamaster backdoor. Sodamaster is believed to be exclusively used by Cicada and is capable of deploying multiple functions. Other tools used by Cicada allow the APT to obtain credentials and control victim machines remotely.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.