analyst@ nohacky:~/threat-actors $
cat/ threat-actors/ apt17-deputy-dog
analyst@nohacky:~/apt17-deputy-dog.html
active profile
type Nation-State
threat_level Critical
status Active
origin China — MSS Jinan bureau
last_updated 2026-03-26
DD
apt17-deputy-dog

APT17 / Deputy Dog

also known as: DeputyDog Axiom Hidden Lynx Tailgater Team Sneaky Panda Aurora Panda Bronze Keystone Heart Typhoon HELIUM Group 72 TG-8153 SIG22 G0025

A Chinese MSS unit operating out of Jinan, attributed by Intrusion Truth to MSS officer Guo Lin and a network of local contractor firms. Known for "hiding in plain sight" — embedding encoded C2 addresses inside legitimate Microsoft TechNet forum posts and profiles to evade detection. Has deployed multiple Internet Explorer zero-days across watering hole and spear-phishing campaigns targeting U.S. government entities, defense contractors, law firms, and Japanese organizations, and is linked to the CCleaner supply chain attack that reached millions of users in 2017.

attributed origin China (Jinan, Shandong Province)
suspected sponsor Chinese Ministry of State Security (MSS) — Jinan bureau, via contractor network
first observed 2010 (active from at least 2009)
primary motivation Espionage, IP Theft, Military Intelligence, Supply Chain Access
primary targets U.S. Gov, Defense, Law Firms, IT, Mining, NGOs, Japan
named campaigns DeputyDog, Ephemeral Hydra, Snowman, CCleaner
mitre att&ck group G0025
target regions USA (primary), Japan, global technology sector
threat level Critical — active, supply-chain capable

Overview

APT17 — given the name Deputy Dog by FireEye after the string "DGGYDSYRL" found in early malware samples, and tracked as Axiom by Novetta and several industry partners — is a China-based cyber espionage group operating under the Chinese Ministry of State Security's Jinan bureau. The group has conducted sustained intrusions against U.S. government entities, the defense industrial base, law firms, information technology companies, mining companies, and non-governmental organizations since at least 2009. FireEye first formally documented the group in 2013 with the publication of Operation DeputyDog, a campaign leveraging an Internet Explorer zero-day against Japanese targets.

APT17's signature tradecraft — the technique that earned coverage under the headline "hiding in plain sight" — involves creating legitimate-looking accounts on trusted public platforms and embedding encoded command-and-control IP addresses in forum posts and profile biography sections. The group is best documented doing this on Microsoft TechNet: rather than hosting C2 addresses on attacker infrastructure that could be blocked or discovered, APT17 encoded the IP into TechNet posts between the markers @MICR0S0FT and C0RP0RATI0N. The BLACKCOFFEE backdoor would decode the address and connect to the real C2 server. This "dead drop resolver" approach delays detection, prevents discovery of the C2 server via binary analysis, and gives the attackers a resilient fallback: if a C2 server is taken down, they simply update the encoded IP in the forum post to maintain control of all existing victim machines.

In July 2019, Intrusion Truth — the anonymous research group that had previously exposed APT3 and APT10 — published a series of posts attributing APT17 to the Jinan bureau of the MSS, identifying three individuals: Guo Lin, assessed as an MSS officer who manages four front companies in Jinan; Wang Qingwei, representative of one of those companies (Jinan Fanglang); and Zeng Xiaoyong (online alias "envymask"), whose code contributions to the ZoxRPC hacking tool were traced through the development chain to BLACKCOFFEE — APT17's primary backdoor. Intrusion Truth's attribution follows the same methodology used to expose APT3's Boyusec connection: tracing domain registration data and developer code commits back to named individuals affiliated with MSS-connected front companies. The Jinan MSS connection places APT17 within the broader provincial contractor model the MSS uses to conduct offensive cyber operations while maintaining plausible deniability.

APT17 is part of a loosely connected cluster of Chinese threat actors operating under the Axiom umbrella — a term coined by Novetta in 2015 to describe a Chinese intelligence apparatus responsible for coordinating multiple APT groups with overlapping tooling, infrastructure, and targeting. The CCleaner supply chain attack in 2017, in which Piriform's build system was compromised to deliver a backdoored version of CCleaner to approximately 2.27 million users, was attributed to Axiom with medium-to-high confidence by Intezer Labs and Kaspersky based on unique code patterns previously seen only in APT17 samples. Among the targets the attackers were attempting to reach through the compromised update were Google, Microsoft, Samsung, Sony, Intel, Cisco, and other major technology firms.

attribution note

Attribution to the MSS Jinan bureau is based on Intrusion Truth's open-source research from July 2019, corroborated by SecAlliance and others. No U.S. Department of Justice indictment has been filed against APT17 members to date. The Chinese government has denied all involvement. APT17 attribution overlaps with the broader Axiom cluster, making precise unit-level attribution complex — some vendors treat Axiom and APT17 as the same group; others treat APT17 as a subgroup within Axiom.

Target Profile

APT17's targeting aligns with broad Chinese strategic intelligence requirements rather than a single narrow sector. The group has demonstrated willingness to target adversary governments, military-adjacent institutions, legal firms (likely for trade secret litigation intelligence), and the technology supply chain as a force multiplier to reach deeper targets.

  • U.S. Government Entities: Federal agencies and government contractors are the most consistently documented APT17 targets, across all three named campaigns. The VFW website watering hole in Operation Snowman was specifically designed to target military and government personnel who would be likely visitors to a veterans' organization site.
  • Defense Industrial Base: Defense contractors and security software firms are recurring targets. The 2013 Bit9 compromise — in which APT17 used a SQL injection vulnerability to steal digital code-signing certificates — demonstrates particular sophistication: the stolen certificates were used to sign malware used in subsequent campaigns, bypassing signature-based defenses across the wider ecosystem.
  • Law Firms: Consistently named in FireEye's characterizations of APT17 targeting. Law firms handling trade secret litigation, M&A advisory, or government contract work represent high-value intelligence collection opportunities — enabling the group to access privileged attorney-client communications and litigation strategy documents.
  • Information Technology Companies: IT firms are targeted both for their own intellectual property and as supply chain vectors. The CCleaner compromise is the clearest documented example: rather than targeting the 20 technology giants directly, APT17 compromised a utility used by millions of their employees and used it as a beachhead for second-stage selective targeting.
  • Mining and Resource Extraction: Resource extraction companies appear consistently in APT17's documented target set, consistent with Chinese state interest in strategic mineral supplies and competitive intelligence on energy and commodity markets.
  • Japanese Organizations: Operation DeputyDog (2013) specifically targeted Japanese entities, making Japan a secondary but documented geographic focus alongside the U.S. Targeting of Japanese organizations is consistent with broader Chinese strategic competition with Japan in the Asia-Pacific.
  • Non-Governmental Organizations: NGOs — particularly those working in areas of political sensitivity to China, such as human rights, press freedom, and democratic governance — are documented APT17 targets, consistent with the MSS's domestic intelligence mandate and foreign influence suppression objectives.

Tactics, Techniques & Procedures

APT17 combines browser-based zero-day exploitation with watering hole attacks as its primary initial access methods, supplemented by spear-phishing. Its most technically distinctive characteristic is the use of legitimate trusted web services as dead drop resolvers for C2 infrastructure — a technique that significantly raises the detection and response cost for defenders, since blocking Microsoft TechNet would be impractical in most enterprise environments.

mitre id technique description
T1189 Drive-by Compromise (Watering Hole) APT17's most documented initial access method. Operations Snowman and Ephemeral Hydra involved compromising legitimate websites frequented by target audiences — the VFW website (targeting military personnel) and a national security policy discussion site (targeting government analysts) — and injecting malicious JavaScript iframes that exploited browser zero-days silently on page load. No user interaction beyond visiting the page was required.
T1566.001 Spear-Phishing Attachment Supplementary initial access vector used alongside watering hole attacks. Operation DeputyDog included spear-phishing elements delivering exploit payloads to Japanese targets. APT17 selectively applies phishing when watering hole access to a specific target is impractical.
T1203 Exploitation for Client Execution APT17 has exploited multiple Internet Explorer zero-days: CVE-2013-3893 (IE 8/9/10 — Operation DeputyDog), CVE-2013-3918 (IE — Operation Ephemeral Hydra), and CVE-2014-0322 (IE 10 — Operation Snowman). CVE-2014-0322 used a use-after-free vulnerability paired with Adobe Flash to bypass both ASLR and DEP. The group's consistent access to unpatched IE vulnerabilities indicates either strong in-house vulnerability research or an established supply relationship for zero-day exploits.
T1195.002 Supply Chain Compromise (Software) The 2013 Bit9 breach exploited a SQL injection vulnerability to compromise the security firm's build infrastructure and steal code-signing certificates, which were then used to sign APT17 malware — providing a trusted digital signature for subsequent implants. The 2017 CCleaner attack compromised Piriform's build pipeline, injecting a backdoored version of the popular utility into the official download and auto-update channel, reaching approximately 2.27 million users. Second-stage payloads were then selectively deployed to approximately 40 of those systems at priority technology company targets.
T1583.006 Acquire Infrastructure: Web Services APT17 created legitimate-looking accounts on Microsoft TechNet, posting in forum threads and building biographical profile sections to establish credible-looking infrastructure. TechNet was chosen because it is a trusted Microsoft property — blocking it network-wide is operationally impractical for most enterprises, and SSL inspection of Microsoft properties is often exempted.
T1102.001 Dead Drop Resolver APT17's defining C2 evasion technique. BLACKCOFFEE reads TechNet profile pages and forum posts, locating the encoded C2 IP address between the markers @MICR0S0FT and C0RP0RATI0N. The malware decodes this value and connects to the real C2 server. If the C2 server is burned, APT17 updates the encoded address on TechNet without touching the victim machines — giving the group durable, resilient access. The technique prevents C2 discovery via binary analysis of BLACKCOFFEE, since no hard-coded attacker IP exists in the binary.
T1059.003 Windows Command Shell BLACKCOFFEE and ZxShell both provide interactive reverse shell capability, enabling APT17 operators to run arbitrary shell commands on compromised hosts. Used for reconnaissance, lateral movement command execution, and staging data for exfiltration.
T1547.001 Registry Run Keys Operation DeputyDog payloads established persistence via Windows Registry CurrentVersion\Run keys, ensuring the backdoor was reinstated on system reboot. Consistent persistence mechanism across documented APT17 tool generations.
T1027 Obfuscated Files or Information DeputyDog exploit payloads were XOR-encoded with the key 0x95 — the same key used consistently across Operation DeputyDog and Operation Snowman, providing a cross-campaign infrastructure correlation indicator. Operation Ephemeral Hydra used a diskless/memory-resident payload to reduce forensic artifacts, deliberately avoiding writing the malware to disk to impede post-incident analysis.
T1070.004 File Deletion (Anti-Forensics) In Operation Ephemeral Hydra, APT17 deliberately chose a memory-only payload (9002 RAT / Hydraq variant) that does not write to disk. FireEye assessed this as either confidence in resources and operator skill, or a desire to leave minimal forensic artifacts — particularly useful when an attack fails, as nearly no evidence remains for analyst review.
T1190 Exploit Public-Facing Application The 2013 Bit9 compromise used SQL injection against an internet-facing web server to gain initial access — a different technique from APT17's usual browser exploitation, demonstrating flexibility in initial access methods when the target environment warrants it.

Known Campaigns

APT17 has a documented history spanning from at least 2009 through the present, with named campaigns concentrated between 2013 and 2017. Supply chain capability demonstrated in the Bit9 compromise (2013) and CCleaner attack (2017) represents a significant escalation from direct exploitation — indicating a strategic willingness to accept collateral exposure in exchange for trusted-channel access to high-value targets.

Bit9 Compromise 2013

In February 2013, APT17 exploited a SQL injection vulnerability in an internet-facing web server to penetrate Bit9 — a security software vendor whose core product was a whitelist-based endpoint protection platform. The attackers stole Bit9's code-signing certificates, which were then used to digitally sign APT17 malware used in subsequent campaigns. A legitimate digital signature from a trusted security vendor effectively bypassed signature-based defenses across the broader ecosystem of organizations using Bit9 products or trusting Bit9-issued certificates. FireEye later connected Bit9's C2 infrastructure to the same infrastructure used in Operation DeputyDog, confirming the same threat actor was responsible for both.

Operation DeputyDog 2013

FireEye's landmark exposure of APT17, documented in September 2013. Beginning on August 19, 2013, APT17 exploited CVE-2013-3893 — an unpatched Internet Explorer zero-day — in targeted attacks against Japanese organizations. The exploit payload was disguised as a JPEG image file ("img20130823.jpg") and XOR-encoded with the key 0x95. The payload created a DLL and established persistence via Registry Run keys; the malware connected to a C2 server at 180.150.228.102 in South Korea. FireEye derived the "DeputyDog" name from the artifact string "DGGYDSYRL" found in malware samples from this campaign — all compiled within a one-second window on August 19, 2013, indicating a coordinated build. The same 0x95 XOR key and related C2 infrastructure later appeared in Operation Snowman, confirming shared actor attribution.

Operation Ephemeral Hydra 2013

A follow-on campaign documented by FireEye in November 2013, exploiting two Internet Explorer zero-days (CVE-2013-3918 and CVE-2014-0266) via a watering hole hosted on a website focused on "national and international security policy" — deliberately chosen to target government analysts and national security personnel. The most technically notable characteristic was the payload: a diskless, memory-resident variant of the 9002 RAT (Hydraq/McRAT) that ran entirely in memory and wrote nothing to disk. This anti-forensic approach was either an expression of operational confidence or a deliberate attempt to minimize evidence in the event of detection. FireEye attributed Ephemeral Hydra to the same actor as DeputyDog based on shared infrastructure.

Operation Snowman 2014

On February 11, 2014, FireEye discovered that APT17 had compromised the website of the U.S. Veterans of Foreign Wars and injected malicious JavaScript into its HTML code. Visitors to the site using Internet Explorer 9 or 10 were silently exploited via CVE-2014-0322 — a use-after-free zero-day that bypassed both ASLR and DEP. The attack used Adobe Flash in conjunction with the IE exploit. The payload was XOR-encoded with the same 0x95 key used in DeputyDog and dropped a ZxShell backdoor. FireEye noted that a U.S. government holiday weekend (Presidents' Day, February 17) and a snowstorm that closed Washington D.C. government offices provided cover: targeted government employees were likely to visit the VFW site on the holiday, while reduced IT staffing limited detection and response. FireEye linked Snowman to DeputyDog and Ephemeral Hydra via shared C2 infrastructure, confirming a single actor across all three campaigns.

BLACKCOFFEE / TechNet Dead Drop 2013 – 2015

Documented by FireEye and Microsoft in a joint May 2015 publication. Since at least 2013, APT17 had been encoding C2 IP addresses into Microsoft TechNet profile pages and forum threads, with the BLACKCOFFEE backdoor reading those pages to obtain the real C2 address. The encoded IP appeared between the markers @MICR0S0FT and C0RP0RATI0N. APT17 created believable-looking TechNet accounts — including posting seemingly legitimate forum answers — to make the profiles appear authentic. When FireEye and Microsoft discovered the campaign, they sinkholed it by replacing the encoded IP in the TechNet posts with a sinkhole address, allowing them to observe victim check-ins. The joint disclosure included IOCs for BLACKCOFFEE and Microsoft released anti-malware signatures. FireEye noted this technique was likely already being adopted or imitated by other threat actors.

CCleaner Supply Chain Attack 2017

In September 2017, Cisco Talos and Avast disclosed that the official download and auto-update distribution of CCleaner — a popular Windows utility owned by Piriform — had been backdoored. Approximately 2.27 million users downloaded the compromised version. A second-stage payload was selectively deployed to approximately 40 systems at major technology companies including Google, Microsoft, Samsung, Sony, Cisco, Intel, HTC, Linksys, and D-Link. Intezer Labs identified unique code — a base64 implementation previously seen only in APT17 samples and in no public malware repositories — present in both the first and second-stage payloads, attributing the attack to the Axiom group (APT17) with high confidence. Kaspersky and Talos independently corroborated the code overlap findings. Attribution carries some uncertainty as the CCleaner C2 infrastructure more closely matched a newer, related group within the Axiom cluster than the core APT17 infrastructure. Avast later disclosed a second attempted compromise of CCleaner in 2019, also attributed to Axiom/APT17.

Tools & Malware

APT17 maintains a large and varied toolset that has evolved over more than a decade. Core custom backdoors are supplemented by widely used commodity RATs — Gh0st RAT, PlugX, Poison Ivy — deployed alongside bespoke implants to complicate attribution and provide operational redundancy. The ZoxRPC-to-BLACKCOFFEE lineage, traceable through documented code contributions by named individuals, is the forensic chain that enabled Intrusion Truth's 2019 attribution.

  • BLACKCOFFEE (ZoxPNG): APT17's primary backdoor, evolved from the earlier ZoxPNG tool, which was itself developed by Jinan-based hacker Zhang Peng ("missll") from Zeng Xiaoyong's ZoxRPC code. Provides file upload and download, reverse shell creation, file and process enumeration, file manipulation (rename, move, delete), process termination, and an extensible backdoor command framework. C2 IP retrieved via TechNet dead drop resolver rather than hard-coded — its defining evasion characteristic. Deployed since at least 2013.
  • ZoxRPC: The precursor to BLACKCOFFEE, incorporating a Chinese-specific exploit of MS08-067 whose authorship was traced to Zeng Xiaoyong ("envymask") via code commit analysis. ZoxRPC is documented across multiple Chinese APT groups, making it a shared capability tool within the broader MSS contractor ecosystem.
  • DeputyDog malware (Trojan.APT.DeputyDog): The initial implant associated with Operation DeputyDog, named after the artifact string found in samples. Communicates via HTTP over port 443 in cleartext — a deliberate choice to blend with HTTPS traffic at the port level while avoiding actual encryption overhead. Used across the 2013 Japan-targeting campaign.
  • 9002 RAT (Hydraq / McRAT variant): A memory-resident RAT used in Operation Ephemeral Hydra that deliberately avoids writing to disk. Runs entirely in process memory, disappearing on reboot. Minimizes forensic artifacts and was chosen specifically for the high-value national security policy targeting in Ephemeral Hydra, where leaving evidence would have been particularly costly.
  • HiKit: A rootkit-level persistent backdoor used in the Bit9 compromise and associated infrastructure. Provided deep system access and was notable for its ability to operate at the kernel level, surviving standard malware removal attempts. Two HiKit variants were found in the Bit9 intrusion.
  • ZxShell: A publicly available Chinese RAT used in Operation Snowman and multiple other APT17 campaigns. Despite being commodity malware, APT17 signed ZxShell samples with the stolen Bit9 certificates — giving a known-commodity tool a trusted code signature that evaded detection across many enterprise environments.
  • PlugX: A modular RAT widely used across Chinese APT groups. APT17 deployed PlugX in the Japan-targeting campaigns documented in the VB2019 analysis, alongside Agtid and other implants, in watering hole and supply chain attacks from 2013 through 2015.
  • Gh0st RAT / Poison Ivy / Comfoo: Commodity Chinese RATs used across various APT17 campaigns, often in combination with more specialized custom implants. Gh0st RAT and Poison Ivy provide full remote access capability and are widely available in the Chinese underground, making attribution harder when deployed without custom tool telltales.
  • Briba / Naid / Nerex / Pasam / Wiarp / Vasport / Linfo / Jumpall: Additional custom and semi-custom backdoors associated with the APT17/Axiom cluster across documented campaigns, providing redundant access and complicating detection through tool diversity.

Indicators of Compromise

The following IOCs draw from Operation DeputyDog (FireEye 2013), Operation Snowman (FireEye 2014), and the BLACKCOFFEE/TechNet analysis (FireEye/Microsoft 2015). Many are historical. The dead drop resolver behavioral pattern is the most durable detection indicator.

warning

Specific infrastructure IOCs (domains, IPs) from documented 2013–2015 campaigns are historical and should not be used for active blocking without verification against current threat intelligence feeds. Microsoft and FireEye sinkholed the TechNet C2 infrastructure in 2015. The behavioral indicators below are more durable.

indicators — behavioral and historical
technique HTTP GET to Microsoft TechNet pages followed by parsing for strings between @MICR0S0FT and C0RP0RATI0N markers (BLACKCOFFEE dead drop resolver — T1102.001)
technique XOR encoding with key 0x95 — consistent across DeputyDog and Snowman payloads; cross-campaign correlation indicator
string DGGYDSYRL — artifact string in DeputyDog samples; basis for YARA rule (rule APT_DeputyDog)
cve CVE-2013-3893 — IE 8/9/10 zero-day (Operation DeputyDog — patched MS13-080)
cve CVE-2013-3918 — Internet Explorer zero-day (Operation Ephemeral Hydra — patched MS13-090)
cve CVE-2014-0322 — IE 10 use-after-free zero-day + Flash (Operation Snowman — patched MS14-012)
domain yahooeast[.]net (historical — DeputyDog C2, registered 654@123.com)
domain blankchair[.]com (historical — DeputyDog infrastructure)
ip 180.150.228.102 (historical — DeputyDog C2, South Korea-hosted)
pattern Anomalous outbound HTTP to Microsoft TechNet followed by immediate connection to non-Microsoft IP — behavioral indicator of dead drop resolver activity

Mitigation & Defense

APT17 is assessed as active. The group's supply chain capability and willingness to compromise trusted software distribution pipelines means that organizations cannot rely solely on perimeter defenses — malware may arrive via a trusted, signed, legitimately distributed software update. Behavioral detection and software supply chain integrity verification are the highest-priority defensive investments for organizations in APT17's target sectors.

  • Dead Drop Resolver Detection: APT17's TechNet C2 technique is detectable behaviorally: look for processes making HTTP requests to Microsoft TechNet or similar trusted web properties, parsing the response for encoded strings, and immediately making connections to a second, unrelated IP or domain. Endpoint Detection and Response (EDR) tools can identify this pattern even when the specific TechNet accounts and C2 IPs have changed. Network proxies logging full URL paths (not just domains) for outbound HTTPS traffic will capture TechNet page fetches with unusual URI patterns.
  • Software Supply Chain Integrity: The CCleaner and Bit9 incidents demonstrate that signed software from legitimate vendors can deliver APT17 implants. Implement binary attestation and hash verification for all software updates, not just initial installs. Treat automatic updates as untrusted until verified. Consider deploying software update sandboxing — detonating updates in an isolated environment before enterprise-wide distribution — for high-risk software categories.
  • Browser Hardening and Patch Urgency: APT17's three named campaigns all exploited Internet Explorer zero-days. IE is retired (June 2022) and should be completely removed from all enterprise endpoints. Where legacy application dependencies require IE-mode in Edge, restrict it to the minimum necessary scope and ensure all available patches are applied within 24 hours of release. Deploy EMET (or Windows Defender Exploit Guard on modern systems) for additional browser exploit mitigations.
  • Watering Hole Defense: APT17 carefully selects watering hole sites frequented by target audiences (veteran organizations, national security policy websites). Defenders in government, defense, and national security sectors should consider applying additional browsing controls — script blocking, browser isolation, or virtual browser sessions — for users accessing non-core external websites, particularly sites likely to attract sector-specific audiences.
  • Code-Signing Certificate Hygiene: The Bit9 breach demonstrated that stolen code-signing certificates bypass many defensive controls. Implement certificate pinning for internal software where feasible, monitor for unexpected or new signing certificates appearing in your software inventory, and treat any binary signed by a certificate not in your approved allow-list as high-risk regardless of the signing authority's reputation.
  • Network Segmentation and Lateral Movement Detection: APT17's post-compromise behavior involves rapid lateral movement using stolen credentials and installed backdoors. Deploy network segmentation to limit east-west access, monitor for anomalous lateral movement patterns using NDR/EDR, and enforce least-privilege access models that contain the blast radius of any single compromised endpoint.
  • Third-Party and Vendor Risk: APT17 reached priority targets by compromising their software supply chain rather than attacking them directly. Organizations should extend their threat model to include the security posture of security software vendors, build tool providers, and widely deployed enterprise utilities. Conduct periodic reviews of software used across the enterprise, particularly tools with high-privilege access or system-level installation rights.
analyst note

APT17's place within the Axiom umbrella and its connections to APT41 through shared tooling (BLACKCOFFEE, ZoxRPC lineage) and the CCleaner overlap suggest it operates as part of a coordinated MSS contractor ecosystem rather than a fully independent unit. The Jinan bureau attribution positions it within the same provincial MSS contracting model used for APT3 (Guangdong bureau / Boyusec) and APT10 (also MSS-linked). As the MSS has increasingly absorbed offensive cyber operations previously handled by the PLA — particularly since the 2015 PLA restructuring — groups like APT17 represent the operational arm of China's shift toward contractor-based, deniable cyber operations. No DOJ indictment has been filed to date, but Intrusion Truth's methodology has preceded indictments for APT3 and APT10, making further legal action against named APT17 individuals a plausible future development.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile