China APT 10/APT 31: Following the breach of the Norwegian software company Visma, many began quickly pointing the finger at China’s APT 10. Multiple security firms, as well as the U.S. Department of Justice (DOJ), named APT 10 as the culprit. However, now some believe it may have been a different Chinese group, APT 31. One of the main focuses of the assessment that APT 10 was behind the attack was the use of the Trochilus malware which APT 10 has used in other attacks in the past. It was noted that though APT 10 has employed Trochilus a number of times in the past, but this is a new variant that utilizes a completely different command and control structure which has been tied to APT 31.
China routinely moves around different members of various teams, standing down some while creating others or reforming old groups. This makes attribution of Chinese attacks slightly more difficult as it causes a greater amount of overlap in tactics and indicators.