APT1 Threat Actor Group: A deep dive into one of the prolific Chinese cyber espionage groups

• The threat group is active since 2006 and has stolen hundreds of terabytes of data from nearly 150 victims until 2013.
• The malware and malicious tools associated with the APT1 group includes Poison Ivy malware, Mimikatz exploit tool, SeaSalt, Ecltys trojan, Downbot trojan, Barkiofork backdoor, AURIGA malware, and BANGAT malware.

APT1 is a Chinese cyber espionage threat group. APT1 threat group is believed to be the second Bureau of People's Liberation Army. It is considered one of the most prolific cyber espionage group because of the quantity of information stolen by the threat group. The threat group is also known as Comment Crew, Comment Panda, Brown Fox, Byzantine Candor, Group 3, and GIF89a.

Worth noting - The threat group is active since 2006 and has stolen hundreds of terabytes of data from nearly 150 victims across 20 major industries until 2013.

The malware and malicious tools associated with the APT1 group includes Poison Ivy malware, Mimikatz exploit tool, SeaSalt, Ecltys trojan, Downbot trojan, Barkiofork Backdoor, AURIGA malware, and BANGAT malware.

The big picture

Once APT1 has gained access to the victim’s network, the threat group revisits the network over several months or years and then steals broad categories of information such as intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.

The tools exclusively used the APT1 threat group includes GETMAIL and MAPIGET. Both the tools are designed to steal email.

By numbers

• The longest time period the threat group maintained access to a victim’s network was 1,764 days, or four years and ten months.
• APT1 threat group has stolen 6.5 terabytes of compressed data from a single organization over a ten-month time period.
• The threat group has stolen hundreds of terabytes of data from nearly 150 victims across 20 major industries until 2013
• Of which, 87% were English speaking natives.
• Between 2011 and 2013, APT1 has launched a minimum of 937 C&C servers hosted on 849 unique IP addresses across 13 countries.
• Of which, the majority of IP addresses were registered to organizations in China (709), followed by the U.S. (109).

Cybercriminals linked to APT1 threat group

Researchers noted a threat actor who goes under the name ‘UglyGorilla’ has been active in computer network operations since October 2004 and his activities disclosed attributions to the APT1 threat group.

• Another attacker known as ‘DOTA’ has registered multiple email accounts used to conduct social engineering and spear phishing attacks in support of APT1 campaigns.
• An interesting fact is that both the attackers UglyGorilla and DOTA use the same shared infrastructure.
• Another malware author who goes under his nickname ‘SuperHard’ is a significant contributor to the AURIGA and BANGAT malware strains used by the APT1 threat group.

OceanSalt campaign linked to the APT1 threat group

In May 2018, a cyber espionage campaign dubbed ‘Operation Oceansalt’ targeted organizations across South Korea, US, and Canada with five attack waves. Researchers stated that the OceanSalt campaign was linked to the prolific cyber espionage group APT1.