Threat Actor: APT22; AKA "Barista"

Date of Activity: ~2014 - Present

Area of Operations: APT22 is believed to be based in China and primarily targets organizations and individuals in the United States, Europe, and Southeast Asia.

Overview: APT22 has a nexus to the Chinese government and has been operational since at least early 2014, carrying out intrusions and attack activity against public and private sector entities, including dissidents.

APT22 threat actors have used strategic web compromises in order to passively exploit targets of interest. APT22 actors have also identified vulnerable public-facing web servers on victim networks and uploaded webshells to gain access to the victim network. This is in addition to highly targeted and sophisticated spear phishing campaigns. Upon a successful click a victim will be implanted with malware to collect data, enable further access, and download/upload files for follow on operations. It is assessed to be associated with the PLA.

The group has on numerous occasions targeted biomedical, pharmaceutical, and healthcare organizations, including an attack on a cancer research institution.

TTPs:

• Nation-state tool set; to include implants, exploits, and RATs

• Intelligence collection against militaries and governments

• Implementing encrypted communications

• Long-term access to networks with deep access

• Robust Spear Phishing campaigns

Associated Malware: PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, LOGJAM