The Counting House: APT19

Threat Intelligence Tarot

Vol. II · 110

China

G0073

★★★★★

risk 3/5

✦ The Counting House ✦

APT19

Codoso · C0d0so0 · Sunshop Group · Deep Panda variant

Financial servicesLaw firmsInvestment bankingTechnologyHealthcare

Active since ~2013 · Economic espionage, Financial intelligence

The Counting House does not steal money. It steals the moments before money moves — the unannounced merger, the unfiled patent, the unsigned settlement. Profit flows naturally from foreknowledge.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1189

Drive-by Compromise

Initial Access

T1059.001

PowerShell

Execution

T1027

Obfuscated Files or Information

Defense Evasion

T1547.001

Registry Run Keys

Persistence

T1136.001

Create Local Account

Persistence

T1071.001

Web Protocols

Command and Control

Notable Operations

◆Forbes.com watering hole (2014)
◆Law firm intrusions ahead of major M&A announcements
◆Healthcare insurance plan compromises
◆Forbes Thought of the Day widget weaponization

Defenses

▸
Deal-team data segregation with project-specific access boundaries
CIS Control 6 ↗
▸
Browser isolation for high-value finance and legal users
CIS Control 9 ↗
▸
Email exfiltration monitoring with DLP on sensitive matters
NIST CSF: PR.DS ↗
▸
Pre-announcement insider activity correlation with security events
NIST CSF: DE.AE ↗

Reversed: Their Weakness

Insider trading enforcement and SEC scrutiny of unusual market moves narrow this operator's window. The intelligence is only valuable while still secret.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Hidden Lynx Next →The Emissary

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.