1. Overview
APT10, also known as Stone Panda, CVNX, Red Apollo, and MenuPass, is a Chinese state-sponsored threat actor that has been active since at least 2009. Widely attributed to China’s Ministry of State Security (MSS), APT10 is best known for conducting long-term espionage campaigns targeting defence, technology, healthcare, and managed service provider (MSP) networks.
APT10’s campaigns typically aim to exfiltrate sensitive intellectual property and trade secrets to benefit Chinese strategic interests. The group has operated globally, with victims across North America, Europe, Asia, and Australia. It played a key role in what has become known as the “Cloudhopper” campaign, one of the most significant supply chain intrusions ever discovered.
2. Origin and Evolution
APT10 was initially observed targeting Japanese organisations and later expanded to hit government and corporate targets in the United States, United Kingdom, and elsewhere. Its activity escalated in 2014–2017, during which the group pivoted from direct targeting to supply chain compromise by infiltrating MSPs and gaining access to their clients’ environments.
In December 2018, the United States Department of Justice indicted two Chinese nationals associated with APT10 for their involvement in extensive espionage campaigns. Despite this public exposure, APT10 has continued to operate under evolving infrastructure and tradecraft.
3. Tactics, Techniques, and Procedures (TTPs)
APT10 has consistently demonstrated advanced capability in long-term access and data theft operations. Key techniques include:
- Initial access
Exploits vulnerabilities in VPN appliances, web servers, and email systems (T1190). Also uses spear-phishing emails with malicious attachments to gain initial access (T1566.001). - Credential theft
Deploys tools such as Mimikatz, and leverages stolen credentials to move laterally and maintain access (T1003, T1078). - Supply chain compromise
Gains access to managed service providers, then exploits this trust relationship to compromise downstream customer environments, often without detection for extended periods (T1195). - Persistence and lateral movement
Uses scheduled tasks, registry modifications, and signed binaries to maintain presence (T1053, T1112). Lateral movement is achieved using PsExec, RDP, and WMI (T1021). - Data exfiltration
Compresses stolen data into archives and exfiltrates it via secure protocols, including HTTPS and SFTP, to attacker-controlled infrastructure (T1041).
APT10 is also known to use PlugX, QuasarRAT, and custom malware implants, often obfuscated to avoid endpoint detection.
4. Targeting Profile
APT10 focuses on high-value industries and sectors relevant to China’s national security and economic development goals. Frequent targets include:
- Managed service providers (MSPs)
- Aerospace and defence contractors
- Pharmaceutical and biotech companies
- Universities and research institutions
- Government agencies and ministries
- Telecommunications and energy infrastructure providers
UK organisations, particularly those involved in government contracts, academic research, and defence technology, have been repeatedly targeted by APT10 and its affiliates.
5. Notable Campaigns and Victims
APT10’s most prominent operations include:
- Cloudhopper campaign (2014–2017):
Global compromise of MSPs across multiple continents, allowing APT10 to access the data of hundreds of downstream clients. - Operation Red Apollo:
A long-term campaign against US and European defence and aerospace contractors, with the goal of stealing proprietary designs and project documentation. - Attacks on UK academic institutions (2017–2020):
Several UK-based universities and research centres were targeted for data related to advanced materials, AI, and biotechnology. - Healthcare and COVID-19 research (2020–2021):
APT10 was among several Chinese threat groups suspected of attempting to steal vaccine research and related data during the early phase of the pandemic.
6. Technical Indicators
Common indicators of APT10 activity include:
- Malware families such as PlugX, QuasarRAT, and ChChes
- Use of DLL side-loading and signed binaries to bypass AV
- Scheduled tasks named “sysupdater” or “userclient” for persistence
- Domains mimicking legitimate enterprise infrastructure
- Data exfiltration via compressed
.raror.zipfiles over encrypted channels
APT10 often blends malicious traffic with legitimate MSP traffic, making detection more difficult without behaviour-based analytics and strong network segmentation.
7. Defensive Measures and Recommendations
To protect against APT10:
- Harden and monitor remote access infrastructure, particularly VPNs and email gateways
- Conduct regular audits of MSP access and apply the principle of least privilege
- Implement endpoint detection and response (EDR) with memory scanning and behaviour detection
- Use multi-factor authentication across all privileged accounts
- Monitor for lateral movement patterns and compressed archive creation
- Encrypt sensitive data in transit and at rest, and segregate critical data repositories
Organisations should also vet MSP partners and ensure third-party risk management policies are robust and enforced.
8. Attribution and Alliances
APT10 is linked to China’s Ministry of State Security and is believed to operate under direct government tasking. It shares some tradecraft with other Chinese APTs, including APT3 and APT41, though its focus on long-term, infrastructure-level access and supply chain compromise sets it apart.
Public attribution of APT10 has been made by multiple governments, including:
- United States Department of Justice
- UK’s National Cyber Security Centre
- Australian Cyber Security Centre
- European Union security agencies
9. Conclusion
APT10 remains one of the most strategically important Chinese cyber threat actors. Its focus on intellectual property theft, third-party supply chain infiltration, and long-term persistence has caused widespread concern among governments and multinational enterprises alike.
UK organisations in research, defence, government services, and IT supply chains should consider APT10 a high-priority threat and apply proactive detection and response strategies accordingly.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
