Unfading Sea Haze is a South China Sea–region APT that has been active since at least 2018, targeting military and government entities to support Chinese interests. A threat-intelligence preview details Internet-facing artifacts such as 21 domain names and 13 IP addresses, plus a broader set of IoCs tied to the group’s infrastructure. #UnfadingSeaHaze #SouthChinaSea
Keypoints
- The APT group named “Unfading Sea Haze” has targeted eight known victims, mainly military and government entities around countries bordering the South China Sea.
- Bitdefender Labs published IoCs associated with the group, and WhoisXML API expanded the findings to include 21 domain names and 13 IP addresses, among other artifacts.
- The IoCs include a large number of domain-related items: 758 email-connected domains, 272 IP-connected domains, and 253 string-connected domains.
- The full research is available for download from WhoisXML API, with a preview provided in the report.
- Domain infrastructure analysis shows the IoCs span 11 registrars, with Dynu Systems, Gandi SAS, GoDaddy, and Namecheap accounting for multiple domains.
- Domain ages range from 2001 to 2024, including four domains created in 2022, indicating use of both old and new domains.
- IP geolocation indicates origins across five countries, with Singapore and the U.S. each accounting for five IPs; DigitalOcean hosts eight of the IPs, and other IPs are associated with China, the Netherlands, and Turkey.
MITRE Techniques
- [T1583.001] Acquire Infrastructure – Domains – The IoCs include 21 domain names (some of which were extracted from subdomains) and 13 IP addresses. Quote: “The WhoisXML API research team expanded the list comprising 21 domain names (some of which were extracted from subdomains) and 13 IP addresses and uncovered: …”
- [T1583.002] Acquire Infrastructure – IP addresses – The IoCs comprise 13 IP addresses used for the group’s infrastructure. Quote: “and 13 IP addresses and uncovered:”
- [T1012] Query Registry – Domain registration data and creation dates used to profile attacker infrastructure. Quote: “The domain IoCs were spread across 11 registrars topped by Dynu Systems, Inc.; Gandi SAS; GoDaddy.com LLC; and Namecheap, Inc., which accounted for three domains each.”
Indicators of Compromise
- [Domain] IoCs – 21 domain names (some from subdomains) and 758 email-connected domains, 272 IP-connected domains, and 253 string-connected domains
- [IP Address] IoCs – 13 IP addresses; geolocation shows origins across five countries, with Singapore and the U.S. accounting for five IPs each, and DigitalOcean hosting eight of the IPs
Read more: https://circleid.com/posts/20240621-following-the-dns-trail-of-apt-group-newbie-unfading-sea-haze