APT1

Threat Actor updated a month ago (2024-11-29T13:53:47.174Z)
Download STIX
Preview STIX
APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to take complete control over a victim's machine. APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations across various sectors including Information Technology, Aerospace, Public Administration, and more, demonstrating the capability and intent to steal from multiple organizations simultaneously. The size of APT1’s infrastructure suggests a large organization with potentially hundreds of human operators. This group came into the spotlight following Mandiant's APT1 report in 2013, which attributed the attacks to the Chinese government. This was followed by indictments of the APT1 actors by the U.S. Department of Justice and foreign policy maneuvers against the Chinese government by the U.S. State Department. It is worth noting that APT1 has been associated with other Chinese threat actors such as APT10 and DragonOK. They have previously used dynamic DNS, and while they occasionally use publicly available backdoors like Poison Ivy and Gh0st RAT, they mostly seem to employ their own custom backdoors. Despite similarities in code observed between OceanSalt samples and those of APT1, these are believed to be false flags. APT1 also creates webmail accounts using real peoples’ names, indicating sophisticated social engineering techniques. Their wider targeting scope coupled with the use of the Winnti backdoor is typical of several suspected Ministry of State Security contractors, including APT1 and APT41. The threat posed by APT1 remains significant due to its extensive capabilities, resources, and the backing of a nation-state.
Description last updated: 2024-05-04T20:30:15.277Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Comment Panda is a possible alias for APT1. Comment Panda, also known as Sneaky Panda, Comment Crew, and APT1, is a threat actor associated with Unit 61398 of the People's Liberation Army in China. The term "threat actor" refers to a human entity that executes actions with malicious intent, which could be an individual, a private company, or
2
Comment Crew is a possible alias for APT1. Comment Crew, also known as APT1 or Unit 61398, is a significant threat actor attributed to China's People's Liberation Army (PLA) General Staff Department’s 3rd Department. The group has been active since at least 2005-2006, as traced by Mr. Stewart of Dell Secureworks. Among the myriad of Chinese
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
This is a test note
@Blue Unicorn, 4 months ago
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The gh0st RAT Malware is associated with APT1. Gh0st RAT is a malicious software (malware) that has been in use for over 15 years. It is an open-source remote access tool known for exploiting vulnerabilities in systems, most notably the PHP flaw which it targeted within 24 hours of disclosure. This malware was observed as part of Operation Diplohas used
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT41 Threat Actor is associated with APT1. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiis related to
2