Investigation into APT 5 and their inner workings of PLA Troop 61786
I am relatively new to the cybersecurity community and I have tracked low-level, criminal groups who conduct computer network exploitation (CNE). My method of investigating criminal activity begins with sleuthing the dark web for tipping information. From there, I overlay leaked CNE data and TTPs with persona information. I began tracking a subset of what was assessed to be low level criminal activity, which actually turned out to be a group of six officers working together within the PRC People's Liberation Army (PLA) Troop 61786. This group appears to be associated with Advanced Persistent Threat 5 (APT5). My starting point for this investigation was Singaporean-based IP 5.188.34.116, which was a virtual private server (VPS) associated with G-Core Labs. A review of the VPS data from this IP on the dark web revealed that the user had unsophisticated tradecraft as evidence by the significant amount of PII and forensic artifacts left behind. This data point served as the foundation...