{
	"id": "21265635-1b15-454e-ab63-90c83c7ad363",
	"created_at": "2026-04-06T00:17:35.619186Z",
	"updated_at": "2026-04-10T03:33:45.893012Z",
	"deleted_at": null,
	"sha1_hash": "cda5364037f9b0a96a4c6d23a8079a9189379122",
	"title": "APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4627533,
	"plain_text": "APT10 was managed by the Tianjin bureau of the Chinese\r\nMinistry of State Security\r\nBy intrusiontruth\r\nPublished: 2018-08-15 · Archived: 2026-04-05 16:49:37 UTC\r\nIn previous posts, Intrusion Truth showed that the Cloud Hopper / APT10 hackers that attacked thousands of\r\nglobal clients of Managed Service Providers (MSPs) in 2016 were based in Tianjin, China.\r\nWe identified Zheng Yanbin, Gao Qiang and Zhang Shilong as three actors responsible. We associated them with\r\nthe Huaying Haitai Science and Technology Development Co Ltd (天津华盈海泰科技发展有限公司) and\r\nLaoying Baichen Instruments Equipment Co Ltd in Tianjin China. But we haven’t yet explained who was\r\nmasterminding or controlling the attacks.\r\nIn the course of our investigation over the last year, we engaged with several Cyber Threat Intelligence analysts\r\nwho provided both raw data and analysis to our team. Amongst the data provided to us recently was evidence that\r\nGao Qiang has been working with the Chinese state. The key piece of data was an Uber journey.\r\nJourneys to 85 Zhujiang Road\r\nhttps://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 1 of 6\n\n强’s travel from work at Huaying Haitai to Xiqing District.\r\nThis image, which was provided by an analyst who prefers not to be named publicly (but whose identity we have\r\nindependently verified), shows an Uber receipt addressed to a user called ‘Qiang’ (强) and bears the e-mail\r\nhttps://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 2 of 6\n\naddress 420192[at]qq.com, an account that we believe to be used by APT10 actor Gao Qiang.\r\nThe receipt shows travel at the end of the working day between 384 Jiefang South Road (解放南路) –\r\nimmediately outside the Fuyu Mansion address of Huaying Haitai – and a destination in what appears to be a\r\nresidential area of the Xiqing District of Tianjin just south of the Waihuan River. We have blacked out the exact\r\nstreet number in the image.  This map shows the location of the start of the journey, outside the Fuyu Mansion\r\nbuildings.\r\nThe collection address outside the Fuyu Mansion Buildings, home of Huaying Haitai\r\nThis second Uber receipt, provided by the same analyst, shows further travel by the same user, though here he\r\nuses the name ‘Pig’ (猪). This could be some attempt to disguise the nature of the journey, though readers will\r\nnote the same QQ e-mail address is used.\r\nhttps://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 3 of 6\n\n猪’s travel between Xiqing District and 85 Zhujiang Road\r\nIn this case the journey is between the same residential area in the Xiqing District and a large complex at 85\r\nZhujiang Road (珠江道), Tianjin.\r\nAccording to the rest of the data revised by analysts working for this blog, this was one of a number of journeys\r\nmade by the user to/from the same complex on Zhujiang Road.\r\nhttps://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 4 of 6\n\nTianjin State Security Bureau\r\n85 Zhujiang Road is an important address in Tianjin – it is the headquarters of the Tianjin State Security Bureau\r\n(天津市国家安全局), a regional arm of the Ministry of State Security (MSS). MSS is the same Chinese\r\nIntelligence Service that was tasking APT3 via a cover company managed by its office in Guangdong.\r\nThe large complex visited by Gao Qiang at 85 Zhujiang Road, Tianjin\r\nThis looks like what it is – an exact copy of the APT3 model. This was a large scale infiltration of western\r\ninfrastructure conducted by a team of Chinese citizens working for a small company with links to the Chinese\r\nIntelligence Service, MSS. It is the second time that this blog has proven a link between a damaging APT group\r\nand the Chinese state (and it certainly won’t be the last).\r\nThe conclusion?\r\nEither:\r\nhttps://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 5 of 6\n\nsomeone with the same name as an apparent APT10 hacker,\r\ntravelled from the same building as an APT10 associated company, and\r\nmet frequently with the Ministry of State Security in Tianjin.\r\nOr:\r\nAPT10 was the work of the Chinese Ministry of State Security. \r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nPost navigation\r\nSource: https://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/\r\nhttps://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/"
	],
	"report_names": [
		"apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "13354d3f-3f40-44ec-b42a-3cda18809005",
			"created_at": "2022-10-25T15:50:23.275272Z",
			"updated_at": "2026-04-10T02:00:05.36519Z",
			"deleted_at": null,
			"main_name": "APT3",
			"aliases": [
				"APT3",
				"Gothic Panda",
				"Pirpi",
				"UPS Team",
				"Buckeye",
				"Threat Group-0110",
				"TG-0110"
			],
			"source_name": "MITRE:APT3",
			"tools": [
				"OSInfo",
				"schtasks",
				"PlugX",
				"LaZagne",
				"SHOTPUT",
				"RemoteCMD"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4",
			"created_at": "2023-01-06T13:46:38.269054Z",
			"updated_at": "2026-04-10T02:00:02.90356Z",
			"deleted_at": null,
			"main_name": "APT3",
			"aliases": [
				"GOTHIC PANDA",
				"TG-0110",
				"Buckeye",
				"Group 6",
				"Boyusec",
				"BORON",
				"BRONZE MAYFAIR",
				"Red Sylvan",
				"Brocade Typhoon"
			],
			"source_name": "MISPGALAXY:APT3",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c",
			"created_at": "2025-08-07T02:03:24.631402Z",
			"updated_at": "2026-04-10T02:00:03.608938Z",
			"deleted_at": null,
			"main_name": "BRONZE MAYFAIR",
			"aliases": [
				"APT3 ",
				"Gothic Panda ",
				"Pirpi",
				"TG-0110 ",
				"UPSTeam"
			],
			"source_name": "Secureworks:BRONZE MAYFAIR",
			"tools": [
				"Cookiecutter",
				"HUC Proxy Malware (Htran)",
				"Pirpi",
				"PlugX",
				"SplitVPN",
				"UPS",
				"ctt",
				"ctx"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434655,
	"ts_updated_at": 1775792025,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cda5364037f9b0a96a4c6d23a8079a9189379122.pdf",
		"text": "https://archive.orkl.eu/cda5364037f9b0a96a4c6d23a8079a9189379122.txt",
		"img": "https://archive.orkl.eu/cda5364037f9b0a96a4c6d23a8079a9189379122.jpg"
	}
}