Threat Actor Profile
Origin: China, 2006
Aliases: Comment Crew, Comment Group, Comment Panda, Byzantine Candor, GIF89a, Group 3, TG-8223, Unit 61398
Key Target Sectors: Manufacturing, Information Technology, Healthcare, Finacial Services, Government, Transportation, Communication, Energy and Power
Attack Vectors: Spear-phishing, Unauthorized Access, Data Theft
Target Region: Eastern Asia, North America
Malware Used: Downbot, Ecltys, Seasalt, Barkfork, Poison Ivy, Mimikatz, WakeMinap, Dalbot, Revird, Badname, Cachedump, Wualess, Calendar, GlooXmail, WEBC2
Tools Used: Mimikatz, Cachedump, Gsecdump, IPconfig, Lslsass, Pass-The-Hash Toolkit, Net, PsExec, Pwdump, Tasklist, and xCmd
APT1 is a China-based cyber-espionage group, active since mid-2006. It is believed to be a part of the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department. Since 2006, the APT1 has compromised over 140+ organizations spanning 20 strategically important industries.
Which organizations have they targeted?
APT1 is known for systematically stealing hundreds of terabytes of data from at least 141 organizations between 2006 and 2013. Among the large-scale thefts of intellectual property, APT1 was observed to be stealing 6.5 terabytes of compressed data from a single organization for over ten months. At the beginning of 2011, APT1 had compromised around 17 new victims operating in 10 different industries. APT1 was identified as one of the several Chinese APT groups that were siphoning the proprietary data from the crown jewels of US corporations out of their networks and into computers in China. In all, of the 141 APT1 victims, 87% were headquartered
in countries where English was the native language. Over seven years (2006 - 2013), APT1 had stolen trade secrets and other confidential information from various foreign businesses such as Lockheed Martin, Telvent, and other organizations in the energy, engineering, manufacturing, shipping, arms, aeronautics, electronics, financial, and software sectors. This group was spotted again in early-2016 carrying out operation Dust Storm, aimed at Japanese critical infrastructure.
Later in 2018, APT1 associated malware was observed in Operation Oceansalt, a campaign against Korea, US, and Canada. This time again, they targeted broad categories of intellectual property, including technology, business plans, test results, pricing documents, and contact and emails lists from high profile victims. The malware implant used in this campaign showed code similarities with a tool previously used by APT1, namely Seasalt. The campaign was launched in five waves of attacks, with each wave being adapted to the targets. The first two attacks were spearfishing-based campaigns, and used malicious Korean-language Microsoft Excel documents to download the malware implant, while the third one switched to Microsoft Word documents. Waves four and five targeted a small number of organizations outside of South Korea, including the U.S. and Canada.
What is their motivation behind the attacks?
The organizations targeted by APT1 match with the industries that China has marked as critical to their growth. This includes four of the seven emerging industries that China has identified as critical for its development, in its 12th Five Year Plan. The APT is said to be working on behalf of (or in coordination with) China's military unit known as "PLA Unit 61398", which is tasked with computer network operations (CNO). This military unit focuses on political, economic, and military-related intelligence that can benefit China.
A typical APT1 cyber-attack begins by sending spear phishing emails to the victim. These emails have official language and themes to make them look authentic but carry a malicious attachment. When a victim opens the attachment, the backdoor provides control of the targeted machine to the APT1. Once they gain access to the network, they can visit any targeted system at any time. The group remains latent for very long durations, sometimes over several months or even years, without victims having any hint about the intrusion.
They target intellectual property, like proprietary manufacturing processes, technology blueprints, test results, pricing documents, business plans, emails and contact lists, and partnership agreements from the victim organizations. The group maintains access to victim’s networks for an average of 356 days. The group also installs new backdoors to the already infected systems in the environment. In such a scenario, even if one backdoor is detected and deleted, they still have other backdoors that can be used.
Known tools and malware
APT1 is known to use multiple families of backdoors and Trojans to infiltrate into the targeted network. Along with using several backdoors and Trojan, the group also uses various open-source utility tools in their cyber attack campaigns.
Malicious programs used by APT1
- Downbot - Trojan horse that comes hidden in malicious programs.
- Ecltys - Trojan horse that opens a backdoor on the victimized computer system.
- Seasalt - Adware that comes with an excessive display of advertisements.
- Barkfork - Backdoor that comes hidden in malicious programs.
- Poison Ivy - Remote Access Trojan (RAT), designed with spying capabilities.
- WakeMinap - Trojan horse that opens a backdoor on the compromised computer.
- Dalbot - Trojan horse that opens a backdoor on the compromised computer.
- Revird - Trojan horse that opens a backdoor on the compromised computer.
- Badname - Trojan horse that can gain remote unauthorized access and control over the affected computer.
- Wualess - Trojan horse that opens a backdoor on the compromised computer.
- Biscuit - It is a backdoor that has been used by APT1 since as early as 2007.
- Calendar - It is malware that mimics legitimate Gmail Calendar traffic.
- GlooXmail - It is a malware that mimics legitimate Jabber/XMPP traffic.
- WEBC2 - A backdoor that is used to retrieve a Web page from a predetermined C2 server.
Other prominent malware used by APT1 are Auriga, Bangat, Bouncer, Combos, Cookiebag, Dairy, Getmail, Gdocupload, Goggles, Greencat, Hackfase, Helauto, Kurton, Lightbolt, Lightdart, Longrun, Manitsme, Mapiget, Miniasp, Newsreels, Starsypound, Sword, Tabmsgsql, Tarsip-eclipse, Tarsip-moon, Warp, Webc2-adspace, Webc2-ausov, Webc2-bolid, Webc2-clover, Webc2-cson, Webc2-div, Webc2-greencat, Webc2-head, Webc2-kt3, Webc2-qbp, Webc2-rave, Webc2-table, Webc2-ugx, Webc2-y21k, Webc2-yahoo and Webc2-tock.
Known Commercial/Open Source tools used by APT1
- Cachedump - It is a publicly-available tool that extracts cached password hashes from a system’s registry.
- Gsecdump - It is a publicly-available credential dumper, used to obtain password hashes and LSA secrets from Windows operating systems.
- IPconfig - A Windows utility that can be used to find information about a system's DNS, DHCP, TCP/IP, and adapter configuration.
- Lslsass - A publicly-available tool that can dump active login session password hashes from the Lsass process.
- Mimikatz - It is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
- Pass-The-Hash Toolkit - A toolkit that allows an attacker to "pass" a password hash (without knowing the original password) to login to systems.
- Net - This utility is a component of the Windows operating system.
- PsExec - A command-line tool that lets its user execute processes on remote systems. It is used by IT administrators and attackers.
- Pwdump - A credential dumper tool to dump passwords.
- Tasklist - A utility that shows a list of services and applications with their Process IDs (PID) for every task running on either a remote or local computer.
- xCmd - An open source tool that allows the user to execute applications on remote systems.
On 19 May 2014, five officers were charged for theft of confidential intellectual property and business information from U.S. commercial firms and of planting malicious software on their computers. The five individuals were named as Wen Xinyu, Huang Zhenyu, Gu Chunhui, Sun Kailiang, and Wang Dong. The Forensic evidence traced the base of operations to a 12-story building near the Datong Road, in a public, mixed-use area of Pudong in Shanghai, belonging to Unit 61398.
Organizations should implement effective countermeasures, such as Antivirus, Firewalls, Host-based Intrusion Detection Systems (HIDS) and Intrusion Prevention Systems (IPS) to detect APT1’s intrusions at the initial level. And at the same time, they should also consider sharing of actionable intelligence
about the threats, like important hashes (SHA1, MD5, etc.), malicious IP addresses, domains, URLs to ensure timely identification and proactive remediation. They should also systematically respond to any suspicious incident to neutralize the threat actor in the early stages of the cyber kill chain. Since the main focus of APT1 is stealing intellectual property, deploying data loss prevention (DLP) systems to monitor data-at-rest, data-in-motion, and data-at-end-points, along with the implementation of advanced detection techniques to find malware, e.g., sandbox execution for analyzing malware can help prevent attacks from such threats. The APT1 is also known to use spear-phishing, which could be prevented via inculcating situational awareness among all employees along with phishing simulations, strict policies, and periodic refreshers that discourage unsafe behaviors.
Indicators of Compromise
SHA1 (Operation Oceansalt)
IP Address (Operation Oceansalt)