splunk
diff --git a/‎stories/china_nexus_threat_activity.yml‎
Lines changed: 22 additions & 0 deletions b/‎stories/china_nexus_threat_activity.yml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎stories/nexus_apt_threat_activity.yml‎
Lines changed: 0 additions & 21 deletions b/‎stories/nexus_apt_threat_activity.yml‎
Lines changed: 0 additions & 21 deletions
@@ -0,0 +1,22 @@
+name: China-Nexus Threat Activity
+id: 43f8062d-4da0-4f48-8cad-6a20e108961b
+version: 2
+date: '2025-02-24'
+author: Teoderick Contreras, Splunk
+status: production
+description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, Chinese state-nexus adversaries known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss.
+narrative: Chinese state-nexus threat group are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors.
+references:
+- https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
+- https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare _permalink
+- https://www.judiciary.senate.gov/imo/media/doc/2024-11-19_pm_-_testimony_-_meyers.pdf
+- https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf
+- https://www.crowdstrike.com/adversaries/envoy-panda/
+tags:
+  category:
+  - Malware
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection