Chinese APT15 Group Steals UK Military Docs

A suspected Chinse APT group has been spotted raiding a UK government contractor for military and other sensitive documents. APT15 is also known as Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon – a group operating for several years from servers registered in China and with Chinese language infrastructure. NCC Group claimed at the weekend that it spotted the group stealing sensitive documents from one of its clients, a government contractor, back in May. It appeared to be using a blend of old and new tools: previous backdoor BS2005 now appearing alongside new versions RoyalCli and RoyalDNS. “All of the backdoors identified – excluding RoyalDNS – required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key. We believe that APT15 could have employed this technique in order to evade behavioral detection, rather than due to a lack of sophistication or development capability,” explained the firm.