Cobalt Strike reemerges under new APT10 campaign, targets Japan
Target: Japanese organizations currently, potential future risk for Western nations
Attack Vector: Cobalt Strike program is pushed on target PC’s through either an executable file or malicious macros
Threat Actor: APT10 (also known as Menupass Team)
Summary: The penetration testing tool, Cobalt Strike has once again been observed as part of a campaign, this time by APT10, who are suspected to originate in China. This is the first time the group have been seen using this tool, which previously was utilised by APT19. Since late April, APT10 have been targeting Japanese corporations. Due to it being a legitimate programme, the use of Cobalt Strike makes the group’s attacks even more difficult to defend against. Furthermore, the use of cyber espionage tactics from a Chinese-based APT group against Japanese organisations is a concerning trend. The two nations have long held cold relations and this will further strain Sino-Japanese ties. Risk assessment summary: This threat is assessed as 3c MODERATE. While there is a constant underlying threat of escalation between Japan and China, it is unlikely that an isolated cyber espionage campaign would trigger conflict, largely due to both nations being large trading partners. Any military conflict would leave both sides losing a large amount of trade and it is unlikely either nation would want to risk this unless absolutely necessary. Yet APT10 is still an active group and it is likely they will continue to carry out actions in the name of the Chinese state. Persistent cyber espionage, in tandem with events on the ground, could contribute to a rise in tensions and a change in the situation. There is also the possibility APT10 will target other nations such as the US or UK.
Cobalt Strike has been seen to be used to great effect by multiple threat actors, and in this case, allows APT10 access to a range of sensitive information and the ability to control what files are present on a target system as well as the ability to execute said commands on a target system