In the shadowy realm of Cyber espionage, few adversaries loom as persistently as APT1.

The APT 1 Chinese cyber spy group has etched its name in the annals of digital warfare. In the recent Mandiant APT1 report, their activities have unveiled a sophisticated web of cyber intrusions.

Thousands of cyberattacks have been attributed to APT1, making it imperative to decode their tactics, techniques, and operations. As we journey through the labyrinth of APT1’s exploits, we’ll not only expose their intricate maneuvers but also arm you with defense strategies crucial in the ever-evolving landscape of cybersecurity.

In this blog, we discuss the expansive scope of APT1’s operations, delving into the intricate actors and the formidable cyber arsenal at their disposal. From the emergence and evolution of APT1 to the notable cyber-espionage incidents etched in their digital footprint, we dissect the targets and geographical focus that define their strategy.

Why is APT1 a threat?

APT1 have access to a vast amount of resources and capabilities that enable them to conduct sophisticated and persistent cyber attacks and cyber espionage. They have shown a high level of skill and determination in pursuing their objectives, which are aligned with China’s national interests and strategic goals.

APT1 poses a serious risk to the security and privacy of their victims, as well as the intellectual property and competitive advantage of their industries. They have stolen data in cyber espionage operations that could compromise the identities, credentials, networks, systems, and operations of their targets. They have also obtained information that could give them an edge in negotiations, contracts, research, development, and innovation.

APT 1 also represents a challenge to the international norms and laws that govern cyberspace. Their activities violate the sovereignty and integrity of other countries and entities and undermine the trust and cooperation that are essential for maintaining a stable and peaceful cyberspace.

Background on APT1

Advanced Persistent Threat 1 (APT1) is a notorious cyber threat with origins linked to a Chinese state-sponsored hacking group, commonly known as Unit 61398 of the People’s Liberation Army. The group gained notoriety in February 2013 when Mandiant, a cybersecurity firm, released a detailed Mandiant APT1 report exposing APT1’s activities.

Emergence of APT1

APT1 is the name given to a group of hackers that are believed to be part of the Chinese military. They are also known as Comment Crew, Comment Group, Comment Panda, or Group G0006.

They have been accused of conducting cyber espionage campaigns against many organizations around the world, especially in the US, Canada, UK, and Japan.

They mainly target industries that are related to China’s economic development, such as aerospace, energy, information technology, and telecommunications.

According to a report by Mandiant, a cybersecurity company, APT 1 has been active since at least 2006 and has stolen hundreds of terabytes of data from at least 141 victims.

APT1 uses various methods to infiltrate its targets, such as spear phishing emails, custom Malware, and stolen credentials. They also use a large network of servers and domains to hide their activities and communicate with their victims.

Mandiant claims that APT1 is linked to Unit 61398 of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, based on the evidence of their location, infrastructure, and operations. However, the Chinese government has denied any involvement in cyber-attacks and has accused the US of hacking its own systems.

Notable Cyber-Espionage Incidents linked to APT1

Some of the notable cyber-espionage incidents linked to APT1 are:

The Night Dragon Attacks: These were a series of attacks that targeted energy companies in the U.S. and Europe between 2009 and 2011. APT 1 used spear phishing emails, malware, and remote access tools to steal sensitive information such as oil and gas field bids, operations data, and financial documents. The attackers also attempted to gain access to the companies’ physical control systems.

The GhostNet Campaign: This was a global cyber espionage network that targeted Tibetan independence groups and the Dalai Lama’s office between 2007 and 2009. Threat actors used malware-infected emails and documents to compromise over 1,000 computers in 103 countries. The attackers were able to monitor the victims’ activities, capture their keystrokes, turn on their webcams and microphones, and steal their files2.

The RSA breach: This was a sophisticated attack that compromised the security firm RSA in March 2011. Threat actors from APT 1 sent a spear phishing email with an Excel file that contained a zero-day exploit to a low-level employee. The exploit installed a backdoor that allowed the attackers to access RSA’s network and steal information related to its SecurID authentication products. The stolen information was later used to launch attacks against RSA’s customers, such as Lockheed Martin3.

APT1’s Targets and Geographical Focus  

APT1 targets industries that are related to China’s economic development. They target industries such as aerospace, energy, information technology, and telecommunications that are vital for China’s national interests and strategic goals.

They target countries such as the US, Canada, UK, and Japan that are major competitors or rivals of China in the global arena.

APT1 targets organizations such as government agencies, private companies, research institutions, and non-governmental organizations that have valuable information or resources that can benefit China.

It also steals various types of data from their targets that including intellectual property, trade secrets, business plans, personal information, and email communications.

The threat actors associated with the APT 1 group have stolen hundreds of terabytes of data from at least 141 victims over a period of several years.

With this type of data, they can compromise the identities, credentials, networks, systems, and operations of their targets. This data also gives them an edge in negotiations, contracts, research, development, and innovation.

Identifying the Actors Behind APT 1

Known Individuals or Groups Associated with APT1

Some of the known individuals or groups associated with APT1 are:

UglyGorilla: A hacker who has been involved in cyber espionage operations since 2004 and whose activities have been traced to APT1. He is believed to be Wang Dong, a member of the People’s Liberation Army (PLA) Unit 61398, which is a cyber unit based in Shanghai1.

DOTA: A hacker who has registered multiple email accounts used to conduct social engineering and spear phishing attacks in support of APT1 campaigns. According to Mandiant APT1 Report, he is believed to be Sun Kailiang, another member of PLA Unit 61398.

Jack Sun: A hacker who has registered several domains used by APT 1 for their C2 servers and malware delivery. Mandiant’s APT1 report reveals him to be Huang Zhenyu, another member of PLA Unit 61398.

SuperHard: A hacker who has developed and used several malware families associated with APT1, such as MIRAGE, GHOSTRAT, and BANGAT. He is believed to be Gu Chunhui, a senior engineer and malware developer of PLA Unit 61398.

Known Affiliations and Suspected State Sponsorship

APT1 is widely suspected to be affiliated with the Chinese military, specifically PLA Unit 61398. This unit is part of the PLA’s Third Department (3PLA), which is responsible for signals intelligence (SIGINT) collection and cyber operations.

The evidence for this affiliation includes the physical location of APT 1’s infrastructure in Shanghai near PLA Unit 61398’s headquarters; the operational hours of APT1’s activity matching China’s time zone; the use of Chinese language tools and keyboards; the registration information of APT 1’s domains using stolen identities of Chinese nationals; and the alignment of APT1’s targets with China’s strategic interests.

In 2014, the US Department of Justice (DOJ) indicted five members of PLA Unit 61398, including Wang Dong and Sun Kailiang, for conducting cyber espionage against US companies and organizations. The indictment was the first time the US government publicly charged state-sponsored hackers with cyber crimes.

In 2017, the US Department of the Treasury (DOT) imposed sanctions on two Chinese nationals, Gao Qiang and Zhang Shilong, for providing support to APT1. The sanctions were part of a broader action against malicious cyber actors and their enablers9.

APT1: Attack Lifecycle

APT1 follows a typical attack lifecycle that consists of several stages. These stages are not necessarily sequential or linear, but rather iterative and cyclical. APT1 may repeat or skip some of the stages depending on their objectives and opportunities.

The following is a brief overview of each stage of APT1’s attack lifecycle:

Initial Compromise

In this stage, APT1 penetrates a target organization’s network. APT 1 frequently uses spear phishing emails with malicious attachments or links to deliver their malware to specific individuals or groups within the target organization.

The threat actor may exploit a known or unknown vulnerability in the victim’s system or application to install a backdoor or a remote access tool (RAT) on the victim’s machine. APT1 may also use strategic web compromise, in which they place malicious code on websites that people in the target organization will likely visit.

Another method that APT1 may use is exploiting technical vulnerabilities in public-facing web servers.

Establish Foothold 

This stage involves ensuring that APT1 can access and control one or more computers within the victim organization from outside the network. APT1 uses various types of malware to establish a foothold, such as WEBC2, GETMAIL, MIRAGE, and POISONIVY.

These malware communicate with APT1’s command and control (C2) servers using different protocols and methods, such as HTTP, HTTPS, TCP, UDP, encryption, or compression. The malware may also use techniques such as domain generation algorithms (DGAs), fast-flux DNS, or proxy servers to evade detection or blocking.

Escalate Privileges

This stage involves acquiring items that will allow access to more resources within the victim’s environment. APT1 uses tools such as Mimikatz, PWDump, Cain & Abel, or Hydra to obtain the usernames and passwords of their victims or other accounts within the target network. They may also use tools such as PsExec or WMI to execute commands or scripts on remote machines. APT1 may also attempt to gain access to privileged computers or systems, such as domain controllers, VPN servers, or PKI servers.

Internal Reconnaissance

This stage involves gathering information about the victim’s environment and identifying data or systems of interest. APT1 uses tools such as NetScan, NBTScan, Angry IP Scanner, or Nmap to scan the internal network and discover hosts, services, ports, or vulnerabilities.

They may also use tools such as Netstat and Net Share to enumerate network connections, users, groups, shares, or permissions.

Lateral Movement 

This stage involves moving from one machine or system to another within the target network. APT1 uses techniques such as RDP, SSH, WMI, PsExec, NetBIOS, SMB, or SQL injection to access other machines or systems that have valuable data or resources.

They may also use techniques such as pass-the-hash (PTH), pass-the-ticket (PTT), golden ticket (GT), or silver ticket (ST) to bypass authentication mechanisms using stolen hashes or tickets.

Maintain Persistence

This stage ensures that APT1 can persist in the victim environment and evade detection or removal. APT1 uses techniques such as creating scheduled tasks, modifying registry keys, injecting code into processes, or using rootkits to hide their malware or activity.

They may also use techniques such as deleting logs, disabling security software, or tampering with timestamps to cover their tracks.

Data Exfiltration

After stealing data from the victim environment, APT1 uses techniques such as FTP, SMTP, WebDAV, or BITS to transfer data from compromised machines or networks to their own servers or domains.

They may also use techniques such as ZIP, RAR, 7-Zip, Base64, XOR, RC4, AES, SSL, or HTTPS to reduce the size or visibility of the data, avoid network monitoring or filtering, or protect their data from interception or decryption.

Malware Arsenal: Analyzing the Malware Strains Employed by APT1

APT1 has used a variety of malware strains to achieve its objectives. Some of the most notable malware strains employed by APT 1 are:

Poison Ivy: A remote access trojan (RAT) that allows attackers to control compromised machines and perform various malicious actions, such as uploading and downloading files, executing commands, capturing screenshots, logging keystrokes, and stealing passwords. Poison Ivy has been used by APT1 since 2005 and is one of their preferred tools for initial compromise and reconnaissance.

Derusbi: A data-theft trojan that can exfiltrate files from victim machines to attacker-controlled servers. Derusbi can also act as a backdoor and execute commands from the attackers. Derusbi has been used by APT1 since 2006 and is often delivered as a payload by other malware or exploits.

Sakula: A sophisticated trojan that can download and execute additional malware from attacker-controlled servers. Sakula can also perform anti-analysis and anti-detection techniques, such as deleting itself after execution, checking for virtual machines or debuggers, and encrypting its network traffic. Sakula has been used by APT1 since 2012 and is often delivered via zero-day exploits or watering hole attacks.

Trochilus RAT: A RAT that offers the usual functionality of remote control, file management, and system information. Trochilus RAT operates in memory only and does not write to the disk, making it harder to detect. Trochilus RAT has been used by APT1 since 2015 and is often clustered with other malware used by the group, such as PlugX, the 9002 RAT, EvilGrab, and others.

HTRAN: A proxy tool that intercepts and redirects TCP connections from the local host to a remote host. HTRAN can be used by attackers to hide their location when interacting with victim networks. HTRAN has been used by APT1 since 2009 and is often found on compromised machines or servers used as hop points.

HUC Packet Transmit Tool: A tool that can capture network packets from a specified interface and transmit them to a remote host via UDP or TCP. HUC Packet Transmit Tool can be used by attackers to exfiltrate data from victim networks or bypass firewall restrictions. HUC Packet Transmit Tool has been used by APT1 since 2010 and is often found on compromised machines or servers used as hop points.

Hydraq/McRAT: A data-theft trojan that can steal files from victim machines and upload them to attacker-controlled servers. Hydraq/McRAT can also act as a backdoor and execute commands from the attackers. Hydraq/McRAT was first used by APT1 in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese cyber espionage actors, possibly including APT17.

A Deep Dive into APT1’s Tactics and Techniques

Social Engineering and Spear Phishing: APT1’s Primary Entry Points

APT1 uses various methods and techniques to conduct social engineering and spear phishing attacks, such as:

• Researching the background of individuals and organizations on social media, corporate websites, and other publicly available sources to craft convincing emails that appear to come from legitimate senders or entities.
• Registering domains that mimic or spoof the domains of legitimate organizations or entities, such as news agencies, government agencies, or industry associations.
• Using malware-infected documents or files that exploit vulnerabilities in common software applications, such as Microsoft Office, Adobe Reader, or WinRAR.
• Using web-based exploits that redirect users to malicious websites that host exploit kits or malware downloads.

Some examples of APT1’s social engineering and spear phishing campaigns are:

• In 2010, APT1 sent spear-phishing emails to employees of a U.S. energy company with an attachment named “2010 Recruitment plan.xls”. The attachment contained a zero-day exploit for a vulnerability in Microsoft Excel (CVE-2009-3129) that installed a backdoor on the victim’s machine.
• In 2012, APT1 sent spear-phishing emails to employees of a Canadian mining company with an attachment named “USGS Updates.zip”. The attachment contained a malicious executable file that installed a variant of the Poison Ivy RAT on the victim’s machine.
• In 2013, APT1 sent spear-phishing emails to employees of a U.S. defense contractor with an attachment named “US DoD Contracts.doc”. The attachment contained an exploit for a vulnerability in Microsoft Word (CVE-2012-0158) that installed a variant of the PlugX RAT on the victim’s machine.
• In 2020, APT1 sent spear-phishing emails to employees of a U.S. law firm with an attachment named “COVID-19 Updates.pdf”. The attachment contained an exploit for a vulnerability in Adobe Reader (CVE-2020-0601) that installed a variant of the Derusbi trojan on the victim’s machine.

Zero-Day Exploits 

APT1 uses various sources and methods to obtain or develop zero-day exploits, such as:

• Purchasing zero-day exploits from underground markets or brokers.
• Developing zero-day exploits in-house using reverse engineering or fuzzing techniques.
• Stealing zero-day exploits from other threat actors or security researchers.
• Leveraging zero-day exploits disclosed by other threat actors or security researchers.

Command and Control Infrastructure

APT1 uses a complex and extensive network of servers and domains to communicate with its compromised systems and to exfiltrate data. According to a Mandiant APT1 report, APT1 controls at least 937 command and control (C2) servers hosted on 849 distinct IP addresses in 13 countries, with the majority of them located in China.

APT 1 also registers hundreds of domains that mimic legitimate websites or services, such as nytimesnews.net or firefoxupdata.com, to evade detection and to lure unsuspecting users.

Efforts to Avoid Detection

APT1 employs several tactics to avoid or delay detection by security products or analysts. For example, APT1 often changes its C2 infrastructure by registering new domains, switching IP addresses, or moving servers.

APT 1 also uses proxy connections or compromised systems as hop points to hide its true origin. Moreover, APT1 leverages legitimate tools or services, such as Dropbox, Google Docs, or Windows Remote Desktop, to blend in with normal network traffic or to bypass security controls2. Furthermore, APT1 modifies or customizes its malware samples to evade signature-based detection or analysis3.

Anti-Forensic Measures

APT1 takes steps to cover its tracks and to hamper forensic investigations. For instance, APT1 deletes files, clears logs, disables auditing, or overwrites data on compromised systems4. APT1 also uses fileless malware or memory injection techniques to avoid leaving artifacts on disk5. Additionally, APT1 employs anti-debugging or anti-emulation tricks to prevent reverse engineering or dynamic analysis of its malware.

Use of Encryption and Obfuscation

APT1 uses encryption and obfuscation to protect its data and communications from prying eyes. For example, APT1 encrypts the data it exfiltrates from victim networks using various methods, such as AES, RC4, XOR, or custom algorithms7. APT1 also encrypts or obfuscates its malware code or configuration files using techniques such as base64 encoding, XOR operations, compression algorithms, or custom packers.

Lateral Movement Strategies

APT 1 uses lateral movement techniques to penetrate deeper into a compromised network, map sensitive resources, and escalate its access. APT1 leverages stolen credentials, password cracking tools, Pass-the-Hash attacks, or exploits for known vulnerabilities to move across systems and domains9. It also uses tools such as PsExec, Net, Mimikatz, or xCmd to execute commands or run programs on remote systems.

Privilege Escalation Strategies

APT1 uses privilege escalation strategies to gain higher-level permissions on a system or network. APT1 exploits vulnerabilities in operating systems or applications, such as CVE-2010-2743 or CVE-2012-0158, to execute arbitrary code with elevated privileges11. APT 1 cyberespionage threat actors also abuse misconfigurations or weak security policies, such as granting excessive permissions to service accounts or allowing remote desktop connections from untrusted sources.

Credential Theft and Reuse

APT1 uses credential theft and reuse techniques to access systems or services that require authentication. They steal credentials from compromised systems using tools such as Mimikatz , Cachedump , Gsecdump , IPconfig , Lslsass , Pass-The-Hash Toolkit , Pwdump , Tasklist , and xCmd. Threat actors can then also reuse these credentials across different systems or domains, taking advantage of password reuse or weak password policies.

Defense Against APT1: Practical Solutions

To defend against APT1 and similar threat actors, organizations need to implement a comprehensive and proactive security strategy that covers the following aspects:

Threat Intelligence Feeds

Threat intelligence feeds are streams of actionable data related to potential cyberattacks that could threaten your organization. They can help you make data-driven decisions to better protect your critical assets. You can gain real-time awareness of emerging threats, bolster your security measures, and make informed strategic choices. Some examples of threat intelligence feeds are [Automated Indicator Sharing] by the U.S. Department of Homeland Security.

Deploying Endpoint Security

Endpoint systems can be vulnerable to attack if they are not properly protected. Endpoint security solutions typically include features such as antivirus, firewall, encryption, endpoint detection, and response, which can help to identify and respond to threats.

Network Segmentation

Network segmentation is a network security practice of dividing the main network into multiple, smaller subnetworks to better protect sensitive data and limit the lateral movement of threats. By isolating resources into distinct segments, organizations can minimize the impact of a breach and optimize network traffic. Network segmentation can be achieved by using various methods such as VLANs (Virtual Local Area Networks), firewalls, or SDNs (Software Defined Networks).

Incident Response and Forensics

Incident response and forensics help mitigate the damage of a cyberattack, understand the root cause and scope of the incident, comply with regulations, and improve security posture. Incident response and forensics require a well-defined plan, a skilled team, and appropriate tools.

Backup and Disaster Recovery with Immutability and Air-Gapped Storage

Immutable and air-gapped storage can help organizations to preserve their data integrity and security, even if their network is compromised by ransomware or other threats.

One example of a solution that offers immutable and air gapped storage for backup and DR is StoneFly’s Backup and Disaster Recovery Appliance (DR365™) . StoneFly DR365™ is a hyper-converged cloud-enabled backup and DR solution that can scale to multiple appliance nodes, connect with public and private clouds, and deliver recovery time objectives (RTOs) and recovery point objectives (RPOs) of less than 15 minutes.

StoneFly DR365™ maintains immutable backup copies in air-gapped storage, preventing direct access to the data, and protects against data modification or removal via API. StoneFly DR365™ also supports various hypervisors, protocols, and data services, and offers terabytes to petabytes of storage capacity.

APT1: Potential Future Developments

APT1 is not a static or monolithic actor, but rather a dynamic and evolving one. It constantly adapts its tactics, techniques, and procedures (TTPs) to evade detection, overcome defenses, and achieve its objectives. Some of the possible future developments that APT1 may pursue are:

• Developing or acquiring more advanced or customized malware strains for cyber espionage that can bypass antivirus, firewall, encryption, or endpoint detection and response solutions.
• Exploiting more zero-day or unpatched vulnerabilities in widely used software applications or systems, such as Microsoft Office, Adobe Flash Player, or Citrix ADC.
• Leveraging more legitimate tools or services, such as Dropbox, Google Docs, or Windows Remote Desktop, to blend in with normal network traffic or to bypass security controls.
• Targeting more critical infrastructure or high-value assets, such as power grids, nuclear facilities, or satellites.
• Expanding its scope or scale of operations to target more regions such as Europe, Latin America or more sectors like healthcare.  

Finally, as always, knowledge is your best defense. Vigilance, regular updates on threat intelligence, and a proactive cybersecurity stance are paramount.

Remember that cyber threats are dynamic. Stay informed, implement robust defense measures, and collaborate with the cybersecurity community to fortify your digital resilience. Here’s to a secure and empowered digital future.

Stay tuned for more updates on cybersecurity topics by subscribing to our weekly newsletter.