We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access. In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.
There are currently no families associated with this actor.
|2022-08-04 ⋅ Mandiant ⋅ |
Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9
|2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ |
Poison Ivy APT20
|2019-12-19 ⋅ Fox-IT ⋅ |
Operation Wocao : Shining a light on one of China’s hidden hacking groups
APT20 Operation Wocao
|2015-08-10 ⋅ shadowserver ⋅ |
The Italian Connection: An analysis of exploit supply chains and digital quartermasters
|2014-09-19 ⋅ Palo Alto Networks Unit 42 ⋅ |
Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy