Chinese-based Group APT15 is Responsible for Stealing Information from the UK Government’s Contractor

Researchers at NCC Group have released a report regarding the attack launched on the company that provides a range of services to the UK government. It did not take long for researchers to find out that a group of cyber criminals called APT15 was involved into this. It has been observed that the APT15 group might use other names too, for example, Ke3chang, Playful Dragon, and Vixen Panda GREF. It is no longer a secret that the group uses servers registered in China, which suggests that cyber criminals are residents of China. Some experts believe that APT15 might even be working for the Chinese government. As specialists working in the cyber-security department have explained, the group has been active for more than a year now judging from commands researchers managed to access and decode. As for the most recent attack carried out by them, experts suspect that it might be “part of a wider operation aimed at various UK government departments and military organizations.” Other institutions based in Europe might be affected in the near future as well.


There is a reason why APT15 compromised the network of the company providing various services to the UK government. There is no doubt that the purpose of the attack was to steal secret information. Since the attackers operated on the affected network from May 2016 until late 2017 and compromised more than 30 hosts during that time, sensitive information related to “UK government departments and sensitive communication technology” must already be in the hands of cyber criminals.

The thorough analysis of the most recent attack performed by APT15 against the UK government service provider revealed that cyber criminals used both new and old tools to achieve their goals. Specifically speaking, an old backdoor BS2005 traditionally used by the group was used together with two new backdoors RoyalDNS and RoyalCli.

As mentioned, unlike RoyalDNS and RoyalCli backdoors, the BS2005 backdoor was already used by APT15 in the past, and, consequently, it has already been documented by the FireEye security company. To be more specific, it was involved in the attacks against European ministries, and it seems that it targeted London Olympics too. RoyalCli “appears to be an evolution of BS2005,” specialists say because it uses similar “encryption and encoding routines.” What else researchers have observed is that they both communicate with the C&C server using Internet Explorer. This is done using IWebBrowser2. It seems that this technique is not perfect – it left cached data in the disk. As a consequence, researchers could trace the attack. Finally, like BS2005, RoyalCli, it executes almost all its commands using the Command Prompt.

As for RoyalDNS, it “takes commands, runs them, then returns output using DNS”. In this sense, it completely differs from BS2005 and RoyalCli which communicate using HTTP. In addition, research has shown that RoyalDNS is also responsible for regaining access to the corporate network if cyber criminals get ejected from it.

To extract and collect secret information, the APT15 group used Comma Separated Value Data Exchange and Bulk Copy Program linked to Microsoft SQL. In addition, other necessary tools used in the attack involved a network scanning/enumeration tool, WinRar, and “spwebmember,” which is known to be “Microsoft SharePoint enumeration and data dumping tool.” Last but not least, attackers used their own keyloggers and the .NET tool. Finally, Mimikatz, considered to be one of the best tools to gather credential data, was also involved in the recent attack. It should be noted that this is not a full list of tools/methods used by APT15.


There is no doubt that the APT15 group consists of experienced cyber criminals that can develop their own tools for specific attacks, so it is not very likely that the attack against the UK government contractor was their last one.


  1. APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. NCC Group
  2. Free stock photos. Pexels
  3. Mimikatz. Active Directory Security
  4. Muncaster, P. Chinese APT15 Group Steals UK Military Docs. Infosecurity
  5. New tools uncovered from hacking group APT15. NCC Group
  6. Paganini, P. China-Linked APT15 used new backdoors in attack against UK Government’s service provider. Security affairs