Chinese APT Groups Continue to Leverage Open-Source and Custom Reconnaissance Tools in Cyber Espionage Campaigns
The Natto Thoughts team recently uncovered key insights into the reconnaissance techniques used by Chinese state-sponsored threat actors. A deep dive into the tactics of APT41 and other groups such as APT10, GALLIUM, and Stately Taurus, revealed a heavy reliance on both open-source and customized reconnaissance tools. These tools, like NBTscan and ScanBox, play a pivotal role in facilitating cyber espionage efforts aimed at critical sectors globally.
APT41, one of China’s most prolific cyber threat groups, has been known to use widely available open-source tools in its reconnaissance operations. Among them is Nmap, a free network scanner used to discover devices and services across networks. Nmap’s versatility makes it an essential tool for APT41, allowing them to perform network discovery, identify open ports, and assess vulnerabilities. Other Chinese groups like APT10 and GALLIUM have similarly adopted open-source tools to streamline their reconnaissance processes.
NBTscan, a tool with over ten years of recorded use, stands out as a favorite among Chinese state actors. This tool, designed to scan IP networks for NetBIOS name information, has been repeatedly deployed by groups like APT10, GALLIUM, and Stately Taurus. Whether in major campaigns such as Operation Cloud Hopper or attacks on global telecommunications providers, NBTscan remains instrumental in discovering critical network resources and performing lateral movement within compromised systems.
APT10, for example, used NBTscan extensively during Operation Soft Cell, targeting telecommunications firms to gain access to sensitive data. Similarly, GALLIUM’s attack campaigns on telecom providers in 2019 revealed the group’s reliance on modified NBTscan versions for network exploration.
Another tool favored by Chinese actors is ScanBox, a reconnaissance framework that has been actively used since 2014. Groups like APT40 and Red Apollo (APT10) have used ScanBox to gather intelligence on networks of interest. In recent reports, APT40 was observed deploying ScanBox in phishing campaigns, using fake websites to lure targets into executing malicious scripts. The tool’s effectiveness in capturing detailed reconnaissance data ensures its continued use across multiple campaigns.
APT40, associated with China’s Ministry of State Security, has been leveraging tools like ScanBox to target industries of geopolitical significance, such as energy infrastructure and defense contractors. The group has been observed using this tool to identify vulnerable systems, particularly those with outdated software, enabling rapid exploitation.
As Chinese threat actors continue to evolve, new tools like Yasso have entered the scene. First observed in Operation Diplomatic Specter by TGR-STA-0043, Yasso represents a shift in tactics with its advanced SQL penetration capabilities and multi-functional scanning features. Unlike traditional tools like NBTscan, Yasso offers more powerful scanning options, making it easier for threat actors to gain access to databases and launch sophisticated attacks.
While many Chinese threat actors rely on open-source tools, they also modify and customize them to suit their needs. Tools like Rclone and LadonGo, frequently used by Chinese APTs, often undergo extensive modification, providing attackers with tailored capabilities to exploit specific targets.
For example, in Operation Diplomatic Specter, Chinese actors used LadonGo alongside NBTscan to execute deep scans on governmental networks. This combination allowed the threat group to conduct thorough reconnaissance and identify weak spots in their targets’ infrastructure.
Beyond traditional threat groups, Earth Krahang, a Chinese-nexus threat actor, demonstrates how scanning tools like sqlmap and nuclei are employed to exploit vulnerabilities in public-facing servers. Earth Krahang uses open-source tools to conduct brute-force directory searches, identifying sensitive files that may contain valuable information such as passwords and system configurations.
The reliance on reconnaissance tools, both open-source and custom-built, underscores the adaptability of Chinese cyber threat actors. Tools like NBTscan, ScanBox, and Yasso remain critical to their operations, allowing them to perform in-depth network discovery and lateral movement across compromised systems. As Chinese threat actors continue to expand their toolkit, organizations must adopt proactive measures, including continuous network monitoring, to mitigate the risks posed by these sophisticated tools.
