(TLP:WHITE) Technical Details of APT10’s Intrusion Activities

The FBI has released a FLASH message regarding information it has obtained on activities performed by a group of malicious cyber actors associated with the Chinese government referred to as “APT10.” On December 20, officials from the U.S. Department of Justice and the U.S. Department of Homeland Security disclosed that they had observed APT10 compromising Managed Service Providers (MSPs), which include Cloud Service Providers (WaterISAC reported on this information that same day, which included a summary in the December 20 SRU). The FLASH includes technical details of the custom tools APT10 has developed and deployed against its targets, which include the REDLEAVES remote access Trojan, the UPPERCUT (aka ANEL) backdoor Trojan, the CHCHES remote access Trojan. The FBI advises that these tools be immediately flagged if detected, reported to the FBI’s Cywatch (cy*****@*bi.gov or 855-292-3937), and given highest priority for enhanced mitigation. The FLASH includes a series of recommended steps for initial mitigation.