APT1: A Nation-State Adversary Attacking a Broad Range of Corporations and Government Entities Around the World

See All

Threat Actor Profile


Origin: China, 2006

Aliases: Comment Crew, Comment Group, Comment Panda, Byzantine Candor, GIF89a, Group 3, TG-8223, Unit 61398

Key Target Sectors: Manufacturing, Information Technology, Healthcare, Finacial Services, Government, Transportation, Communication, Energy and Power

Attack Vectors: Spear-phishing, Unauthorized Access, Data Theft

Target Region: Eastern Asia, North America

Malware Used: Downbot, Ecltys, Seasalt, Barkfork, Poison Ivy, Mimikatz, WakeMinap, Dalbot, Revird, Badname, Cachedump, Wualess, Calendar, GlooXmail, WEBC2 

Tools Used: Mimikatz, Cachedump, Gsecdump, IPconfig, Lslsass, Pass-The-Hash Toolkit, Net, PsExec, Pwdump, Tasklist, and xCmd

Overview


APT1 is a China-based cyber-espionage group, active since mid-2006. It is believed to be a part of the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department. Since 2006, the APT1 has compromised over 140+ organizations spanning 20 strategically important industries.

Which organizations have they targeted?


APT1 is known for systematically stealing hundreds of terabytes of data from at least 141 organizations between 2006 and 2013. Among the large-scale thefts of intellectual property, APT1 was observed to be stealing 6.5 terabytes of compressed data from a single organization for over ten months. At the beginning of 2011, APT1 had compromised around 17 new victims operating in 10 different industries. APT1 was identified as one of the several Chinese APT groups that were siphoning the proprietary data from the crown jewels of US corporations out of their networks and into computers in China. In all, of the 141 APT1 victims, 87% were headquartered in countries where English was the native language. Over seven years (2006 - 2013), APT1 had stolen trade secrets and other confidential information from various foreign businesses such as Lockheed Martin, Telvent, and other organizations in the energy, engineering, manufacturing, shipping, arms, aeronautics, electronics, financial, and software sectors. This group was spotted again in early-2016 carrying out operation Dust Storm, aimed at Japanese critical infrastructure.

Later in 2018, APT1 associated malware was observed in Operation Oceansalt, a campaign against Korea, US, and Canada. This time again, they targeted broad categories of intellectual property, including technology, business plans, test results, pricing documents, and contact and emails lists from high profile victims. The malware implant used in this campaign showed code similarities with a tool previously used by APT1, namely Seasalt. The campaign was launched in five waves of attacks, with each wave being adapted to the targets. The first two attacks were spearfishing-based campaigns, and used malicious Korean-language Microsoft Excel documents to download the malware implant, while the third one switched to Microsoft Word documents. Waves four and five targeted a small number of organizations outside of South Korea, including the U.S. and Canada.

What is their motivation behind the attacks?


The organizations targeted by APT1 match with the industries that China has marked as critical to their growth. This includes four of the seven emerging industries that China has identified as critical for its development, in its 12th Five Year Plan. The APT is said to be working on behalf of (or in coordination with) China's military unit known as "PLA Unit 61398", which is tasked with computer network operations (CNO). This military unit focuses on political, economic, and military-related intelligence that can benefit China.

Modus Operandi


A typical APT1 cyber-attack begins by sending spear phishing emails to the victim. These emails have official language and themes to make them look authentic but carry a malicious attachment. When a victim opens the attachment, the backdoor provides control of the targeted machine to the APT1. Once they gain access to the network, they can visit any targeted system at any time. The group remains latent for very long durations, sometimes over several months or even years, without victims having any hint about the intrusion.
They target intellectual property, like proprietary manufacturing processes, technology blueprints, test results, pricing documents, business plans, emails and contact lists, and partnership agreements from the victim organizations. The group maintains access to victim’s networks for an average of 356 days. The group also installs new backdoors to the already infected systems in the environment. In such a scenario, even if one backdoor is detected and deleted, they still have other backdoors that can be used.

Known tools and malware


APT1 is known to use multiple families of backdoors and Trojans to infiltrate into the targeted network. Along with using several backdoors and Trojan, the group also uses various open-source utility tools in their cyber attack campaigns.

Malicious programs used by APT1

  • Downbot - Trojan horse that comes hidden in malicious programs.
  • Ecltys - Trojan horse that opens a backdoor on the victimized computer system.
  • Seasalt - Adware that comes with an excessive display of advertisements.
  • Barkfork - Backdoor that comes hidden in malicious programs.
  • Poison Ivy - Remote Access Trojan (RAT), designed with spying capabilities.
  • WakeMinap - Trojan horse that opens a backdoor on the compromised computer.
  • Dalbot - Trojan horse that opens a backdoor on the compromised computer.
  • Revird - Trojan horse that opens a backdoor on the compromised computer.
  • Badname - Trojan horse that can gain remote unauthorized access and control over the affected computer.
  • Wualess - Trojan horse that opens a backdoor on the compromised computer.
  • Biscuit - It is a backdoor that has been used by APT1 since as early as 2007.
  • Calendar - It is malware that mimics legitimate Gmail Calendar traffic.
  • GlooXmail - It is a malware that mimics legitimate Jabber/XMPP traffic.
  • WEBC2 - A backdoor that is used to retrieve a Web page from a predetermined C2 server.

Other prominent malware used by APT1 are Auriga, Bangat, Bouncer, Combos, Cookiebag, Dairy, Getmail, Gdocupload, Goggles, Greencat, Hackfase, Helauto, Kurton, Lightbolt, Lightdart, Longrun, Manitsme, Mapiget, Miniasp, Newsreels, Starsypound, Sword, Tabmsgsql, Tarsip-eclipse, Tarsip-moon, Warp, Webc2-adspace, Webc2-ausov, Webc2-bolid, Webc2-clover, Webc2-cson, Webc2-div, Webc2-greencat, Webc2-head, Webc2-kt3, Webc2-qbp, Webc2-rave, Webc2-table, Webc2-ugx, Webc2-y21k, Webc2-yahoo and Webc2-tock.

Known Commercial/Open Source tools used by APT1

  • Cachedump - It is a publicly-available tool that extracts cached password hashes from a system’s registry.
  • Gsecdump - It is a publicly-available credential dumper, used to obtain password hashes and LSA secrets from Windows operating systems.
  • IPconfig - A Windows utility that can be used to find information about a system's DNS, DHCP, TCP/IP, and adapter configuration.
  • Lslsass - A publicly-available tool that can dump active login session password hashes from the Lsass process.
  • Mimikatz - It is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
  • Pass-The-Hash Toolkit - A toolkit that allows an attacker to "pass" a password hash (without knowing the original password) to login to systems.
  • Net - This utility is a component of the Windows operating system.
  • PsExec - A command-line tool that lets its user execute processes on remote systems. It is used by IT administrators and attackers.
  • Pwdump - A credential dumper tool to dump passwords.
  • Tasklist - A utility that shows a list of services and applications with their Process IDs (PID) for every task running on either a remote or local computer.
  • xCmd - An open source tool that allows the user to execute applications on remote systems.

Attribution


On 19 May 2014, five officers were charged for theft of confidential intellectual property and business information from U.S. commercial firms and of planting malicious software on their computers. The five individuals were named as Wen Xinyu, Huang Zhenyu, Gu Chunhui, Sun Kailiang, and Wang Dong. The Forensic evidence traced the base of operations to a 12-story building near the Datong Road, in a public, mixed-use area of Pudong in Shanghai, belonging to Unit 61398.

Prevention


Organizations should implement effective countermeasures, such as Antivirus, Firewalls, Host-based Intrusion Detection Systems (HIDS) and Intrusion Prevention Systems (IPS) to detect APT1’s intrusions at the initial level. And at the same time, they should also consider sharing of actionable intelligence about the threats, like important hashes (SHA1, MD5, etc.), malicious IP addresses, domains, URLs to ensure timely identification and proactive remediation. They should also systematically respond to any suspicious incident to neutralize the threat actor in the early stages of the cyber kill chain. Since the main focus of APT1 is stealing intellectual property, deploying data loss prevention (DLP) systems to monitor data-at-rest, data-in-motion, and data-at-end-points, along with the implementation of advanced detection techniques to find malware, e.g., sandbox execution for analyzing malware can help prevent attacks from such threats. The APT1 is also known to use spear-phishing, which could be prevented via inculcating situational awareness among all employees along with phishing simulations, strict policies, and periodic refreshers that discourage unsafe behaviors.

Indicators of Compromise


SHA1 (Operation Oceansalt)
0ae167204c841bdfd3600dddf2c9c185b17ac6d4
12a9faa96ba1be8a73e73be72ef1072096d964fb
1f70715e86a2fcc1437926ecfaeadc53ddce41c9
281a13ecb674de42f2e8fdaea5e6f46a5436c685
42192bb852d696d55da25b9178536de6365f0e68
583879cfaf735fa446be5bfcbcc9e580bf542c8c
832d5e6ebd9808279ee3e59ba4b5b0e884b859a5
Be4fbb5a4b32db20a914cad5701f5c7ba51571b7
D72bc671583801c3c65ac1a96bb75c6026e06a73
Dd3fb2750da3e8fc889cd1611117b02d49cf17f7
E5c6229825f11d5a5749d3f2fe7acbe074cba77c5
Fc121db04067cffbed04d7403c1d222d376fa7ba
Ec9a9d431fd69e23a5b770bf03fe0fb5a21c0c36
9fe4bfdd258ecedb676b9de4e23b86b1695c4e1e

IP Address (Operation Oceansalt)
27[.]102[.]112[.]179
158[.]69[.]131[.]78
211[.]104[.]160[.]196
172[.]81[.]132[.]62

MD5 (Auriga)
6B31344B40E2AF9C9EE3BA707558C14E
CDCD3A09EE99CFF9A58EFEA5CCBE2BED

MD5 (Bangat)
4C6BDDCCA2695D6202DF38708E14FC7E
8E8622C393D7E832D39E620EAD5D3B49
468FF2C12CFFC7E5B2FE0EE6BB3B239E
727A6800991EEAD454E53E8AF164A99C
BD8B082B7711BC980252F988BB0CA936
DB05DF0498B59B42A8E493CF3C10C578
E1B6940985A23E5639450F8391820655
EF8E0FB20E7228C7492CCDC59D87C690

MD5 (Biscuit)
5A728CB9CE56763DCCB32B5298D0F050
5D8129BE965FAB8115ECA34FC84BD7F0
7CB055AC3ACBF53E07E20B65EC9126A1
12F25CE81596AEB19E75CC7EF08F3A38
43B844C35E1A933E9214588BE81CE772
70A55FDC712C6E31E013E6B5D412B0D6
268EEF019BF65B2987E945AFAF29643F
15901DDBCCC5E9E0579FC5B42F754FE8
034374DB2D35CF9DA6558F54CEC8A455
DA383CC098A5EA8FBB87643611E4BFB6

MD5 (Bouncer)
6EBD05A02459D3B22A9D4A79B8626BF1
57353ECBAECE29ECAF8025231EB930E3
CF038194F0FE222F31EC24CB80941BB1
D2F1BE7E10ED39AA8BC0F7F671D824D2
F90DA15F862BB8452FC51D3F0DBB3373

MD5 (GreenCat)
0C5E9F564115BFCBEE66377A829DE55F
1F92FF8711716CA795FBD81C477E45F5
3E6ED3EE47BCE9946E2541332CB34C69
3E69945E5865CCC861F69B24BC1166B6
5AEAA53340A281074FCB539967438E3F
6D2320AF561B2315C1241E3EFD86067F
30E78D186B27D2023A2A7319BB679C3F
36C0D3F109AEDE4D76B05431F8A64F9E
55FB1409170C91740359D1D96364F17B
57E79F7DF13C0CB01910D0C688FCD296
120C2E085992FF59A21BA401EC29FEC9
390D1F2A620912104F53C034C8AEF14B
871CC547FEB9DBEC0285321068E392B8
7388D67561D0A7989202AD4D37EFF24F
A99E06E2F90DB4E506EF1347A8774DD5
A565682D8A13A5719977223E0D9C7AA4
AB208F0B517BA9850F1551C9555B5313
B3BC979D8DE3BE09728C5DE1A0297C4B
B5E9CE72771217680EFAEECFAFE3DA3F
B8F61242E28F2EDF6CB1BE8781438491
BA0C4D3DBF07D407211B5828405A9B91
C044715C2626AB515F6C85A21C47C7DD
E54CE5F0112C9FDFE86DB17E85A5E2C5
E83F60FB0E0396EA309FAF0AED64E53F
F4ED3B7A8A58453052DB4B5BE3707342
FAB6B0B33D59F393E142000F128A9652




  • Share this blog:
Previous
Deciphering the ATT&CK Navigator: Part 2 - ATT&CK Use Cases
Next
List of Data Breaches, Malware, Vulnerabilities, Scams, and Issued Patches in May, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.