Threat Intelligence Tarot
Vol. II · 108
China
G0005
risk 3/5
The Numbered Scribe
APT12
Numbered Panda · Calc Team · DynCalc · DNSCALC · IXESHE
MediaTaiwan governmentJapanDefense industrial baseDiplomatic missions
Active since ~2008 · Espionage, Political intelligence
The Numbered Scribe writes its dispatches in dotted decimals: each calculation a domain, each domain a different mask. When journalists wrote the wrong story, this scribe was already inside their drafts folder.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.003
Windows Command Shell
Execution
T1071.001
Web Protocols
Command and Control
T1027
Obfuscated Files or Information
Defense Evasion
T1105
Ingress Tool Transfer
Command and Control
T1547.001
Registry Run Keys
Persistence
Notable Operations
  • New York Times intrusion (2012-2013)
  • Etumbot and IXESHE backdoor campaigns
  • Taiwan government and ROC defense ministry targeting
  • Japan media and high-tech sector espionage
Defenses
  • DNS monitoring for unusual TXT or sub-domain calculation patterns
    NIST CSF: DE.CM
  • Email attachment sandboxing with macro execution analysis
    CIS Control 9
  • Newsroom and editorial system isolation from corporate network
    CIS Control 12
  • Endpoint detection tuned for renamed living-off-the-land binaries
    MITRE D3FEND
Reversed: Their Weakness
Public attribution via Mandiant's 2013 NYT report cost APT12 its preferred infrastructure and forced a year-long rebuild. Disclosure remains its most consistent counter.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Vanished HandNext →The Hidden Lynx
Related Adversaries
The Desert Hawk
Stealth Falcon
4 shared TTPs
The Cloud Atlas
Inception
4 shared TTPs
The Quiet Hand
WIRTE
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.