{ "id": "9bfd9d7d-3214-4ac0-a4cf-93c04179b620", "created_at": "2026-04-06T02:12:37.824219Z", "updated_at": "2026-04-10T13:12:08.689218Z", "deleted_at": null, "sha1_hash": "e87b05f20ef33f02be1c02a25f10630522686344", "title": "The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1962356, "plain_text": "The energy reserves in the Eastern Mediterranean Sea and a malicious\r\ncampaign of APT10 against Turkey\r\nPublished: 2020-05-14 · Archived: 2026-04-06 01:35:20 UTC\r\nEnergy reserves in the Eastern Mediterranean Sea and the “MEDEAST” gas pipeline:\r\nThe Mediterranean Sea has become an increasingly relevant geostrategic topic for the Ministries of Foreign Affairs of\r\nTurkey, Greece, Cyprus, Israel and even China due to the controversies generated during the last decade for the discoveries\r\nof natural gas resources located in the Eastern Mediterranean seas of States such Israel, Cyprus and Egypt ([1]).\r\nThe presence of Turkish troops in Libya and Syria, and the Franco-Greek alliance to avoid Turkish intrusions in the\r\nmaritime territory of Greece show the relevance and global interest in energy resources in the area.\r\nAs it could be seen in the following map, part of the geostrategic conflict is focused on the Turkish EEZ. Turkey carried out\r\nan agreement with Libya which tries to carry out an expansion of its exclusive maritime economic zones ([2]).\r\nIt is relevant to clarify that an EEZ is a maritime zone prescribed by the United Nations Convention on the law of the sea\r\nover which a state has special rights regarding the exploration and exploitation of sea resources, including the production of\r\nenergy through the water and wind ([3]) ([17]):\r\nIllustration 1. Expansion of Turkish EEZ\r\nThe expansion that the Turkish government tries to carry out could increase the geopolitical risk among Cypriots, Greeks\r\nand even Israeli governments. The military presence in the area by those States could be seen in the map shown above. The\r\nstrategy of increasing Turkey’s EEZ would leave without an important part of the continental shelf Athens ([4]). In addition,\r\nCyprus is significantly affected by this EEZ’s expansion as there is an occupation of the Cyprus’ EEZ area. Furthermore, the\r\nPresident Erdogan has publicly declared that his oil exploration projects in the coast of Cyprus will not cease. Turkey tries to\r\nstablish a zone of EEZ controlled by the Turkish influence which would be represented as in the following map ([5]):\r\nhttps://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/\r\nPage 1 of 6\n\nIllustration 2. Expansion of the Turkish EEZ and location of energy resources\r\nIn the previous map, you can see which energy exploration areas are located in Israel, Cyprus and Egypt. Moreover, these\r\nStates give diplomatic support to Cyprus and Greece regarding the expansion’s conflict of the Turkish EEZ.\r\nFurthermore, the 27th of February of 2020, Greece, Cyprus and Israel signed an agreement to build up a gas pipeline to\r\ntransport gas to Europe from the Leviathan gas reserves located in Israel. Moreover, in the near future there is the intention\r\nof joining to the pipeline the extractions from the Cypriot gas reserves, Aphrodite and Calypso ([6]).\r\nhttps://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/\r\nPage 2 of 6\n\nIllustration 3. Mediterranean Gas Pipeline\r\nTurkey has displaced several warships to the coast of Cyprus in order to carry out gas exploration projects. The Eastern\r\nEuropean gas pipeline reduces the geopolitical power of Turkey as it tries to exclude Turkey from any participation in it.\r\nThis “pipeline” has been called “EastMed” ([6]). However, during March, Turkey will put an offshore drilling vessel in\r\norder to continue with its oil exploration projects in the EEZ waters of Greece, Cyprus and the EU in order to try to acquire\r\nin the future the role of gas supplier for the EU ([8]).\r\nInterests and influence of China in the Mediterranean area:\r\nChina, unlike the US diplomatic-military expansionism, has focused its expansionist strategy on the diplomatic-commercial\r\nstrategy. For China, one of its geo-strategically key regions, has been the Port of Piraeus of Greece. The Greek government\r\ntendered for the next 35 years the 67% of the Port’s operations to COSCO (China Ocean Shipping Company) for 368.5\r\nmillion and 350 million of euros to be invested in the Piraeus’ port infrastructure ([9]).\r\nThe Port of Piraeus represents a potential gate of all the commercial flow that comes from the OBOR sea route. In addition,\r\nduring November of 2019, China and Greece signed up 16 cooperation agreements of different matters, including trade and\r\nenergy investments ([10]).\r\nOn the other hand, Cyprus signed an agreement with a consortium led by China to build up the first natural gas import\r\nterminal in Cyprus. The terminal is designed to convert imported liquefied gas into a gaseous form to be used in energy\r\nplants ([11]). The construction is being developed by China Petroleum Pipeline Engineering, Metron, Hudong-Zhngua\r\nShipbuilding and Wilhelmsen Ship Management. Construction is expected to be done in 2022.\r\nRegarding the international security, China investigates Turkey’s relation with the Uighur community. The Uyghurs are\r\nTurkish-speaking people from the interior of Asia and mostly of them have Muslim religious confession. The Uyghurs live\r\nin northwestern China, in the Uyghur autonomous region of Xinjiang and are considered a threat to the People’s Republic of\r\nChina as they are considered largely jihadist terrorists ([12]).\r\nTurkey is the country that has given the most international support to the Uyghur community. Currently, up to 45,000\r\nUyghur refugees live in Turkey on a temporary visa or even with a permanent residence permit ([13]).\r\nTurkey’s foreign affairs policies are misaligned from those of China.  The possible obstruction of the OBOR route to the\r\nPort of Piraeus and the collaborative policies with the Uyghur community in the Xinjiang region of China could damage\r\ntheir diplomatic relations.\r\nDue to the diplomatic confrontations and conflicting interests of the two countries, China could carry out cyber espionage\r\noperations against Turkish organizations and institutions linked to diplomacy, defense, energy, telecommunications and\r\nforeign trade. Its main objective could be to collect confidential information in order to gain advantages within the future\r\nhttps://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/\r\nPage 3 of 6\n\ngeostrategic movements of Turkey and the rest of the actors involved in the conflicts over the energy resources located in the\r\nMediterranean Sea.\r\nMalicious campaign against Turkish organizations:\r\nA malicious campaign allegedly attributed to APT10 against Turkish organizations from various sectors such as\r\ntelecommunications and finance has been identified by Adeo in January of 2020 ([14]). APT10 is a group presumably\r\nattributed to the Ministry of State Security of China ([15]). In addition, it is a group that usually targets organizations from\r\nvarious sectors such as defense, energy, health, telecommunications, governments, military, shipping and IT ([16]).\r\nIt has been identified that APT10 usually carries out malicious campaigns against organizations that could damage the\r\nChina’s State interests into the global market. On the other hand, it has also been detected that APT10 usually carries out\r\nmalicious campaigns against organizations that support foundations which carry out aid projects with ethnic groups that may\r\nbe a potential threat against the Chinese national security, as the case of the Uyghur community.\r\nMoreover, in this campaign has been identified several similarities with the TTP published in other APT10 reports in 2019\r\n([14]). In this case, it was identified that this campaign began in 2016 and the initial access was carried out with the\r\nexploitation of a public web application.\r\nSummary of the executed Kill Chain ([14]):\r\n• Initial access:\r\nThe attackers deployed the following China Chopper4, JspSpy5 webshells to obtain a foothold on the victim’s network that\r\nthey used to execute commands to upload files to the target machines.\r\n• Reconnaissance, execution and theft of credentials:\r\nIn the reconnaissance phase, a series of commands were launched to collect information from users, domains and shared\r\nfolders. The hostile actor used legitimate tools of the Windows operating systems for the reconnaissance stage, such as\r\n“ipconfig.exe”, “whoami.exe”, “net.exe”, “ping.exe”, “powershell.exe” and ” BloodHound ”(bloodHound is not a legitimate\r\nbinary from Microsoft). The attacker used an advanced tool called “dns.exe” to list all the machines that were registered in a\r\nparticular domain.\r\nRegarding the execution, the hostile actor implemented “hTran” backdoor to be able to exfiltrate information. In previous\r\nmalicious APT10 campaigns against Turkey, this executable file was seen with the name “java.exe” on compromised hosts.\r\nHostile actors loaded a malicious DLL into the memory of a legitimate binary. The final payload is injected into the\r\nlegitimate process “svchost.exe”. It was identified that this payload was a PlugX variant or a CobaltStrike Beacon as a post-exploitation framework.\r\nTo carry out the theft of credentials the hostile actor used the following tools: “QuarksPWdump” and “Mimikatz”.\r\n• Lateral movements\r\nThrough the lateral movements they were able to compromise critical servers and gain access as a domain administrator. The\r\ngroup used NTLM hashes to move laterally. They used the tools “net.exe”, “wmic.exe”, “psexec.exe”, “smbexec”, and\r\n“wmiexec”.\r\n• Persistence\r\nThe advanced group established persistence in certain servers that were of their interest and deployed a remote access\r\nTrojans such as “QuasarRAT” and “PlugX”, moreover penetration or “pentesting” tools such as “Cobalt Strike” and\r\n“kerberos”.\r\n• C\u0026C connections\r\nHostile actors used two different ways to keep connections with C\u0026C servers. Once the vulnerability was exploited to\r\nestablish itself on the public server, the group moved to the “terminal server”. To establish communications with the other\r\nhosts in the internal network, they installed an SMB beacon on the “terminal server”, using it as a bridge between the\r\ninternal network and the C\u0026C server.\r\nhttps://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/\r\nPage 4 of 6\n\nIllustration 4. First C\u0026C communication method\r\nHowever, the group established a different method for hosts that had direct access or had a proxy. In this case they used the\r\nhttp protocol to establish the communications with the C\u0026C.\r\nIllustration 5. Second C\u0026C communication method\r\nIn the following chart, there are the TTPs developed by APT10 during this malicious campaign against the Turkish\r\norganizations ([16]) ([14]):\r\nIllustration 6. TTP used in the APT10 campaign\r\nRecommendations:\r\nIt is recommendable that the organizations from the defense sector, governments, energy, telecommunications and finance\r\nlinked to projects that may affect the interests of China apply the maximum prevention to this increase of malicious\r\ncampaigns from APT groups presumably linked to China.\r\nIt is recommended to apply the IOC of the APT identified as a threat by their intelligence provider LAB52 as soon as\r\npossible.\r\nIt is recommended to keep the operating systems, services and tools used in the organization updated with the latest security\r\npatches.\r\nIt is recommended to establish security policies (GPOs) to control accesses and actions carried out in those systems and / or\r\nservices that are exposed to the internet.\r\nhttps://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/\r\nPage 5 of 6\n\nConclusions:\r\nSince the last decade, Turkey has acquired an important influence in the energy geopolitics of the Eastern Mediterranean\r\nSea. The Turkish foreign policies has hindered the China’s international trade strategies. Furthermore, the diplomatic\r\nTurkish support to certain Chinese ethnic groups that are considerate as a threat against the Chinese national security, could\r\nprovoke that Turkey becomes a target of groups like APT10 which presumably are linked to the Ministry of State Security of\r\nChina. APT10 is a group that has a wide range of targets. The organizations from sectors of interest for the government of\r\nChina and the organizations that have some kind of link with the commercial development of the OBOR route could be\r\nsusceptible to being targeted by groups such as APT10.\r\nReferences:\r\n[1] https://www.mei.edu/publications/turkeys-eastern-mediterranean-quagmire\r\n[2] https://www.petroleum-economist.com/\r\n[3] https://greece.greekreporter.com/2018/10/12/greece-egypt-aim-to-strangulate-turkey-in-east-med-turkish-daily-claims/\r\n[4] https://moderndiplomacy.eu/2019/12/20/the-exclusive-economic-zone-between-libya-and-turkey/\r\n[5] https://www.ozelburoistihbarat.com/kitalar-bolgeler-akdeniz-karadeniz-ege-marmara/dogu-akdenizde-tartisma-harita-uydu-goruntuleri-eren-talha-altun-12708\r\n[6] Kontakos P. (2018) Blue economy enterpreneurship in Offshore Energy in Cyprus and Greece. Journal of International\r\nScientific Publications\r\n[7] https://www.welt.de/wirtschaft/article204725766/EastMed-Das-ist-Europas-neue-Problem-Pipeline.html\r\n[8] https://www.turkishminute.com/2020/02/19/turkey-buys-third-drilling-ship-for-mediterranean-gas-exploration-erdogan/\r\n[9]https://www.cidob.org/en/publications/publication_series/notes_internacionals/n1_156/china_moors_in_the_mediterranean_a_sea_of_opportun\r\n[10] https://www.aljazeera.com/news/2019/11/greece-china-hail-strategic-partnership-eu-191111170150762.html\r\n[11] http://www.ekathimerini.com/247559/article/ekathimerini/news/chinese-led-consortium-to-build-cyprus-gas-import-terminal\r\n[12] https://www.icij.org/investigations/china-cables/china-cables-who-are-the-uighurs-and-why-mass-detention/\r\n[13] https://www.voanews.com/extremism-watch/uighurs-concerned-china-luring-turkey-silence-xinjiang\r\n[14] Adeo IT Consulting Services. January 2020. APT10 Threat Analysis Report.\r\nhttps://adeo.com.tr/en/adeo_annual_threat_report/\r\n[15] https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion\r\n[16] https://attack.mitre.org/           \r\n[17] https://www.un.org/depts/los/convention_agreements/texts/unclos/part5.htm\r\nSource: https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/\r\nhttps://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/" ], "report_names": [ "the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441557, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e87b05f20ef33f02be1c02a25f10630522686344.pdf", "text": "https://archive.orkl.eu/e87b05f20ef33f02be1c02a25f10630522686344.txt", "img": "https://archive.orkl.eu/e87b05f20ef33f02be1c02a25f10630522686344.jpg" } }