G0025 APT17

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. ¹

Item	Value
ID	G0025
Associated Names	Deputy Dog
Version	1.1
Created	31 May 2017
Last Modified	13 October 2020
Navigation Layer	View In ATT&CK® Navigator

Associated Group Descriptions

Name	Description
Deputy Dog	¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1583	Acquire Infrastructure	-
enterprise	T1583.006	Web Services	APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.¹
enterprise	T1585	Establish Accounts	APT17 has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads.¹

Software

ID	Name	References	Techniques
S0069	BLACKCOFFEE	¹	Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Multi-Stage Channels Process Discovery Dead Drop Resolver:Web Service Bidirectional Communication:Web Service

References

FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016. ↩↩↩↩↩