> threat_actor APT12 —— origin: PRC (PLA) —— alias: Numbered Panda —— targets: media, government, high-tech —— region: East Asia<span class="cursor-blink">_</span>_
APT12 — also tracked as Numbered Panda, IXESHE, DynCalc, DNSCalc, Hexagon Typhoon, BRONZE GLOBE, Calc Team, Crimson Iron, BeeBus, and Group 22 — is a Chinese cyber espionage group believed to be linked to the People's Liberation Army (PLA). The group has been active since at least 2009 and is best known for its 2012 breach of the New York Times, conducted in apparent retaliation for the newspaper's investigation into the vast personal wealth accumulated by the family of then-Premier Wen Jiabao.
APT12's operations are consistent with the broader strategic objectives of the People's Republic of China — particularly regarding Taiwan, Japan, and media organisations that publish reporting unfavourable to the PRC leadership. The group targets governments, defence industrial base organisations, high-technology companies, electronics manufacturers, telecommunications providers, and journalists, with a pronounced and sustained focus on Taiwanese interests.
What distinguishes APT12 from many state-sponsored groups is their remarkable ability to evolve rapidly after public exposure. FireEye dubbed them 'Darwin's Favourite APT Group' after observing the group retool their entire malware infrastructure — twice — in direct response to security vendor publications describing their operations. When Arbor Networks published a detailed analysis of the group's Etumbot backdoor in June 2014, APT12 responded within weeks by deploying a modified variant — HIGHTIDE — with altered network protocols, different file paths, and new evasion techniques. This pattern of rapid, publication-triggered evolution makes APT12 a particularly resilient adversary.
| Attribute | Detail |
|---|---|
| Tracked Names | APT12 (Mandiant/FireEye), Numbered Panda (CrowdStrike), IXESHE (Trend Micro), DynCalc / DNSCalc (various), Hexagon Typhoon (Microsoft), BRONZE GLOBE (Secureworks), Calc Team, Crimson Iron (ThreatConnect), BeeBus, Group 22, TG-2754 |
| State Sponsor | People's Republic of China (PRC). Believed to be linked to the People's Liberation Army (PLA). APT12's targeting patterns are consistent with PRC strategic interests — particularly regarding Taiwan, regional influence in East Asia, and the suppression of media reporting critical of the Chinese Communist Party leadership. |
| Active Since | At least 2009, with Trend Micro's initial reporting tracing spear-phishing campaigns using IXESHE malware to that year. Continuous activity observed through at least 2016, with IXESHE variants detected targeting Taiwanese government networks as recently as 2015–2016. The group's operational status beyond 2016 is less well-documented publicly, though PRC cyber espionage capabilities have continued to expand. |
| Primary Objective | Espionage in service of PRC strategic goals. Collection of intelligence from Taiwanese and Japanese governments, military entities, and defence-adjacent industries. Monitoring of media organisations publishing reporting on PRC leadership. Technology theft from high-tech and electronics sectors. |
| Operational Context | APT12 operates within a broader PRC cyber espionage ecosystem that includes dozens of groups attributed to the PLA, the Ministry of State Security (MSS), and associated contractors. Since Xi Jinping became General Secretary in 2012, the MSS has gained greater responsibility for cyber operations relative to the PLA — though PLA-linked groups like APT12 established much of the operational infrastructure and tradecraft during the earlier period. |
In October 2012, the New York Times became aware that hackers had been systematically infiltrating its computer network. The intrusion began shortly before the newspaper published an investigative report by Shanghai bureau chief David Barboza, detailing how the relatives of then-Premier Wen Jiabao had accumulated a fortune worth several billion dollars through business dealings. The timing was not coincidental.
AT&T, which monitored the Times' network, first alerted the newspaper to unusual traffic patterns. The Times then engaged Mandiant to conduct a forensic investigation. What they found was extensive: the attackers had been inside the network for approximately four months, had established backdoors on at least three employee computers, had spent two weeks mapping the internal network, and had ultimately compromised the passwords of every New York Times employee — both inside and outside the newsroom. Forty-five custom malware tools were installed during the intrusion.
| Phase | Activity | Detail |
|---|---|---|
| Initial Access | Spear-phishing emails targeting Times employees | Malicious emails delivered to staff, likely containing attachments exploiting document vulnerabilities or linking to credential harvesting pages. The Times anticipated the attempt — Western journalists in China had been subject to surveillance since at least 2008, the year of the Beijing Olympics. |
| Foothold | Backdoors established on three computers | Custom malware installed on initial compromised systems providing persistent remote access. These served as beachheads for deeper network penetration. |
| Reconnaissance | Two weeks mapping the internal network | Attackers explored the Times' infrastructure, identifying user accounts, email servers, and file storage. Systematic enumeration of the network architecture and access controls. |
| Credential Theft | Stole passwords of every Times employee | All corporate credentials compromised. Passwords were hashed, but readily crackable using rainbow tables. Provided universal access to internal systems. |
| Targeted Collection | Accessed David Barboza's email archive | Primary intelligence objective: the emails and materials related to the Wen Jiabao investigation. Also targeted former Beijing bureau chief Jim Yardley (now South Asia bureau chief) and 53 employees' computers in total. |
| Persistence | 45 custom tools installed | Extensive tooling deployment ensuring long-term access. Multiple backdoors provided redundant access paths — loss of one did not mean loss of access. |
The New York Times breach was significant beyond its immediate impact. It demonstrated that PRC-linked threat actors would directly target major Western media organisations in response to reporting that embarrassed the Chinese Communist Party leadership. The breach occurred within a broader pattern — the Wall Street Journal disclosed similar Chinese intrusions shortly after the Times' revelation, and Bloomberg News reported being targeted after publishing its own investigation into the wealth of the family of Xi Jinping. The message was clear: publish unfavourable reporting on PRC leaders, and your network becomes a target.
| Sector | Strategic Value to PRC | Observed Targeting |
|---|---|---|
| Taiwanese Government | Taiwan is the PRC's primary geopolitical priority. Intelligence on Taiwan's government policy, military capability, diplomatic relationships, and internal politics directly supports PRC strategic planning — from cross-strait relations through to potential military scenarios. | Sustained, multi-year campaigns against Taiwanese government agencies. Decoy documents written in Traditional Chinese pertaining to government interests and upcoming conferences. IXESHE malware variants specifically configured for Taiwanese government networks. Watering-hole attacks on Taiwanese public service websites (2015–2016). |
| Japanese Government and Industry | Japan is a key US ally in the Pacific, hosts significant US military assets, and has its own territorial disputes with China (Senkaku/Diaoyu islands). Intelligence on Japanese government policy, defence capability, and technology supports PRC strategic interests. | Targeted alongside Taiwan in multiple campaigns. Spear-phishing with documents exploiting CVE-2012-0158 delivered to Japanese organisations. HIGHTIDE and WATERSPOUT backdoors deployed in Japan-targeted campaigns from 2014 onwards. |
| Media Organisations | Media organisations publishing investigative reporting on PRC leadership and policy represent a direct threat to the Party's narrative control. Compromising journalists' accounts reveals sources, unpublished investigations, and provides leverage for information suppression. | New York Times breach (2012) — directly targeting the journalist and bureau chief behind the Wen Jiabao investigation. Similar operations against other major Western media outlets reporting on PRC leadership wealth and policy. |
| High-Technology and Electronics | Technology theft supports the PRC's strategic goal of reducing dependency on foreign technology and accelerating domestic innovation. Electronics manufacturing intelligence supports both economic competitiveness and military capability development. | Campaigns against electronics manufacturers in East Asia. Targeting of high-tech companies with spear-phishing delivering IXESHE and Etumbot malware. Trend Micro documented campaigns against the electronics manufacturing and technology sectors. |
| Telecommunications | Telecoms infrastructure provides access to communications metadata and content. Compromising telecoms operators in target countries supports broader surveillance objectives. | Trend Micro documented targeting of at least one telecommunications company as part of APT12's East Asian campaigns. |
| Defence and Government (Broader) | Defence industrial base organisations and government agencies hold classified or sensitive information on military capability, procurement, and strategic planning. Intelligence collection from these targets supports PRC military modernisation. | Targeting of entities focused on international economic and financial policy. Defence-adjacent organisations in East Asia. Consistent with PLA cyber espionage mandates prior to the 2015 PLA Strategic Support Force reorganisation. |
APT12's malware arsenal consists primarily of custom backdoors designed for persistent access and data exfiltration, supplemented by exploitation of common document vulnerabilities for initial access. The defining characteristic of APT12's tooling is not sophistication but adaptability — the group has repeatedly modified or replaced their malware in direct response to public security vendor reporting.
| Tool | Type | Capabilities and Notes |
|---|---|---|
| IXESHE | Custom backdoor (primary, 2009+) | APT12's original and longest-running implant, pronounced 'i-sushi'. Provides remote shell access, file upload/download, system information collection, and data exfiltration. Communicates with C2 servers using Base64-encoded HTTP traffic. Known for stealing critical data from government and private entities in Germany, Taiwan, and other countries. Later variants added SSL encryption for C2 communications. Still observed in modified forms targeting Taiwanese government networks in 2015–2016. |
| ETUMBOT | Custom backdoor (2011–2014) | Second-generation implant targeting Taiwan and Japan. Uses RC4 encryption for C2 communications. Capable of determining whether the victim is using a proxy and bypassing proxy settings to establish direct C2 connections. Reports victim's NetBIOS name, username, IP address, and proxy configuration on initial check-in. Documented in detail by Arbor Networks in June 2014 — which triggered APT12's retooling. |
| RIPTIDE | Custom backdoor (2012–2014) | Proxy-aware backdoor communicating via HTTP to hard-coded C2 servers. First C2 communication fetches an RC4 encryption key used for all subsequent traffic. Observed in campaigns from October 2012 to May 2014. Replaced by HIGHTIDE after Arbor Networks' publication. |
| HIGHTIDE | Custom backdoor (2014+, post-exposure retool) | Modified RIPTIDE variant deployed after Arbor Networks published detailed analysis of RIPTIDE's protocols. Differs from RIPTIDE in executable file location, image base address, User-Agent string in HTTP requests, and URI format. Delivered via spear-phishing with Microsoft Word documents exploiting CVE-2012-0158. Demonstrates APT12's retooling capability. |
| AUMLIB | Custom backdoor (updated 2013) | Used in the New York Times breach and subsequently updated. The modified version encodes the body of POST requests and collects victim's BIOS information, external IP address, and operating system. Updated to evade detection signatures written based on the original variant. |
| THREEBYTE | Custom backdoor (observed 2014) | Previously attributed to APT12, observed in campaigns targeting organisations in Japan and Taiwan. Delivered via malicious documents using the 'Tran Duy Linh' exploit kit exploiting CVE-2012-0158. |
| WATERSPOUT | Backdoor (attribution uncertain) | Newly discovered backdoor observed in campaigns sharing traits with APT12's RIPTIDE and HIGHTIDE operations — similar targeting, delivery mechanism, and exploit kit. FireEye noted the WATERSPOUT campaign had not been positively attributed to APT12 but exhibited significant operational overlap. |
APT12's most operationally significant characteristic is their speed of adaptation. The group actively monitors security vendor publications about their operations and responds by retooling — modifying malware protocols, changing file paths, altering network signatures, and deploying entirely new backdoor variants. This has been observed on at least two distinct occasions.
This behaviour has significant implications for defenders. Indicators of compromise (IOCs) published for APT12 have a shorter shelf life than for many threat groups. Hash values, C2 domains, User-Agent strings, and network traffic signatures are updated rapidly after publication. Defenders relying solely on IOC-based detection will miss retooled variants. Behavioural detection — identifying the techniques rather than the specific tools — is essential for sustained detection of APT12 activity.
APT12's initial access methodology is consistent across campaigns: spear-phishing emails delivering weaponised documents, occasionally supplemented by strategic web compromises (watering-hole attacks) targeting specific organisations.
One of APT12's most distinctive and technically interesting techniques is their method of dynamically calculating C2 communication ports using DNS resolution — the behaviour that gave the group its 'DynCalc' and 'DNSCalc' names.
This technique — using DNS as a control channel to dynamically configure malware behaviour — was innovative at the time and demonstrates a level of operational sophistication that goes beyond simple backdoor deployment. It allows the C2 operator to adapt to the target's network environment in real-time without any interaction with the compromised system.
APT12 does not operate in isolation. It is one component of a vast PRC cyber espionage apparatus that includes dozens of identified threat groups, supported by a national strategy that integrates offensive cyber capabilities into China's broader push for global influence.
| Group | Sponsor | Primary Focus |
|---|---|---|
| APT12 (Numbered Panda) | PLA | East Asian governments (Taiwan, Japan), media, high-tech, defence. Regional intelligence collection and narrative control. |
| APT1 (Comment Crew) | PLA Unit 61398 | Broad industrial espionage — 141+ organisations across 20 industries. Hundreds of terabytes stolen since 2006. Subject of landmark Mandiant 2013 report. |
| APT10 (Stone Panda) | MSS (Tianjin) | Managed service providers (MSPs) for supply-chain access. Healthcare, defence, aerospace, technology. Global targeting. |
| APT40 (Leviathan) | MSS (Hainan) | Maritime, defence, aviation, technology. Focus on South China Sea nations and maritime territorial interests. Subject of 2024 joint advisory by eight nations. |
| APT41 (Winnti) | MSS / Dual-use | Unique dual espionage and financially motivated operations. Healthcare, telecoms, technology, video games. Supply-chain compromises. |
| Volt Typhoon | PRC (specific unit unknown) | Pre-positioning in US critical infrastructure — water, energy, telecoms, transport. Living-off-the-land techniques. Assessed as preparation for potential conflict scenarios. |
| Salt Typhoon | PRC (MSS-linked) | US telecommunications providers including Verizon and AT&T. Interception of communications of senior political figures. Discovered 2024. |
APT12's role within this ecosystem is focused and regional. While groups like APT1 conducted broad industrial espionage and Volt Typhoon pre-positions for conflict scenarios, APT12's mandate centres on East Asian intelligence collection — particularly regarding Taiwan — and the suppression of unfavourable media reporting. This specificity of mission is consistent with PLA operational structure, where individual units are assigned defined areas of responsibility.
APT12's demonstrated ability to rapidly retool after exposure means that defenders must prioritise behavioural and technique-based detection over static indicators of compromise. The hash of today's APT12 backdoor may be irrelevant within weeks of publication.
| Detection Approach | What to Look For | Implementation |
|---|---|---|
| Document exploitation | Office documents or PDFs exploiting known vulnerabilities (particularly CVE-2012-0158, CVE-2015-5122, CVE-2016-0189). Suspicious parent-child process relationships: WINWORD.EXE or AcroRd32.exe spawning cmd.exe or powershell.exe. |
Enable process creation auditing (Event ID 4688). Deploy EDR with parent-child process monitoring. Ensure document exploitation protections are enabled (Protected View, ASR rules). |
| Right-to-left override filenames | Files containing Unicode RLO character (U+202E) in the filename. Executable files (.scr, .exe, .com) with filenames that appear to end in document extensions (.xls, .doc, .pdf) when displayed. | Email gateway rules detecting RLO characters in attachment filenames. EDR rules flagging process execution from files containing RLO characters. User awareness training on file extension verification. |
| DNS-based C2 port calculation | DNS resolutions to unusual domains where the resolved IP address changes frequently but is never actually connected to — instead, outbound connections occur on ports that correspond to encoded values in the DNS response. | DNS query logging and analysis. Correlation between DNS resolution events and subsequent outbound connections on unusual ports. Passive DNS monitoring for domains resolving to RFC1918 or otherwise suspicious addresses. |
| RC4/Base64 encoded HTTP C2 | HTTP POST requests with encoded or encrypted body content to uncategorised external domains. Consistent beacon intervals with encoded payloads. Self-signed TLS certificates with short, random-looking strings in informational fields. | SSL/TLS inspection for outbound traffic. HTTP proxy logging with content analysis. Network detection rules for known APT12 C2 communication patterns (acknowledging these will need updating as the group evolves). |
| Watering-hole indicators | Compromised websites containing injected iframes, particularly those loading exploit code from external domains. Fingerprinting scripts that check the visitor's IP range or network before delivering payloads. | Web proxy and DNS monitoring for known exploit kit indicators. Browser isolation for high-risk web browsing. Network segmentation limiting blast radius of watering-hole compromises. |
APT12 is a PRC-linked cyber espionage group that has operated since at least 2009, conducting intelligence collection operations against Taiwanese and Japanese government entities, media organisations, high-technology companies, and defence-adjacent industries. Their 2012 breach of the New York Times demonstrated that PRC threat actors will directly target Western journalism in response to reporting that embarrasses the Chinese Communist Party leadership.
The group's defining operational characteristic is rapid adaptation. When security vendors publish analysis of APT12's tools and infrastructure, the group reads the research, identifies the detection methods described, and modifies their operations specifically to evade those methods — often within weeks. This 'Darwinian' evolution, documented across multiple retooling cycles, makes APT12 a particularly resilient adversary against IOC-based detection approaches.
For organisations in APT12's target set — Taiwanese government entities, Japanese organisations, East Asian technology and electronics companies, media outlets covering PRC affairs, and defence-adjacent organisations in the region — APT12 represents a documented, persistent threat whose tools change but whose mission does not. Defending against them requires technique-based detection, robust email security against weaponised documents, DNS monitoring for their distinctive C2 port calculation method, and the understanding that any public reporting on their current operations will trigger adaptation rather than cessation.
Our <a href="https://www.cyber-defence.io/services/threat-intelligence">threat intelligence</a> assessments map your organisation's profile against known APT targeting patterns, identifying which threat groups are most relevant to your sector, geography, and business activities — and recommending specific, prioritised defences against their documented techniques.