By Zach Hilbert — May 26, 2024

APT1

Who is APT1?

APT1 was first reported publicly in detail by Mandiant, following years of extensive investigations. According to Mandiant, “APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (总参三部二局), which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (61398部队).” [1] Investigations have recorded attacks as early as 2006. APT1 has stolen “hundreds of terabytes of data from at least 141 organizations.” This group maintained access on victims’ networks for an average of 356 days and 4 years 10 months at the longest.

Aliases

Comment Crew, Comment Group, and possibly Shady Rat.

Associated Individuals

UglyGorilla (Wang Dong)

UglyGorilla was the contact listed on many registered domain names used in the APT1 attack infrastructure.

DOTA

This name was used in numerous email accounts used in phishing attacks.

d0ta010[at]hotmail.com
dota.d013[at]gmail.com
d0ta001[at]hotmail.com
Facebook user “do.ta.5011”(Facebook user id: 100002184628208)
dota.sb005[at]gmail.com listed as a backup email account for poter.spo1[at]gmail.com
dota.d001[at]gmail.com

DOTA and UglyGorilla were recorded using the same infrastructure, domains, and outgoing IP addresses.

SuperHard (Mei Qiang/梅强)

SuperHard contributed to AURIGA & BANGAT malware families. This individual was strongly linked with mei_qiang_82[at]sohu.com and observed communicating with DOTA.

Notable Attacks

Washington Post [2][3]
New York Times [4]
Google [5]
Telvent Canada Ltd

Targets

“The industries APT1 targets match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.” [1] Targets of APT1 included New York Times, Washington Post, Google, among other governments and organizations located around the world.

Chinese spokesmen have denied allegations that their government sanctioned or was involved with these attacks.

Tactics

The APT1 group was an early actor to utilize a structured and persistent attack methodology and moderately advanced, custom tools. A common theme in observed incidents was for APT1 to exfiltrate large amounts of sensitive data. This data included private communications, proprietary information and plans, research, and credentials.

APT1 most commonly gained access to victim systems through spear phishing. These attackers understood who their targets were and what would most likely trigger interest in the attached payloads. APT1 named the malicious payloads with current interests and topics. Sender email addresses contained relevant names of authority in order to build trust with the victim. In some cases, attackers hid the payload filetype by adding the true file extension 119 spaces after the fake name. They would also change the icon representing the file contents to make the payload appear innocuous.

The attackers maintained access by using WEBC2 backdoors. This type of backdoor allowed attackers to communicate with victim machines by reading comments hidden in HTML responses. Because of this, APT1 is sometimes referred to as Comment Crew. Other backdoors used by APT1 mimicked normal web and network traffic, allowing them to remain hidden within organizations daily activities.

Although these tactics are commonly used by modern adversaries now, APT1 was an early example of highly sophisticated attackers with adequate resources and support to perform patient and long-acting attacks.