Understanding Attacks Linked to

Presented by: Ashwin (Microsoft Azure MVP)

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.


MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Compromise Infrastructure

Resource Development


APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise.


This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Monitoring the following activities in your Organization can help you detect this technique.

Internet Scan: Response Content

Logged network traffic in response to a scan showing both protocol header and body values

Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.

Internet Scan: Response Metadata

Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.