APT1

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to take complete control over a victim's machine. APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations across various sectors including Information Technology, Aerospace, Public Administration, and more, demonstrating the capability and intent to steal from multiple organizations simultaneously. The size of APT1’s infrastructure suggests a large organization with potentially hundreds of human operators. This group came into the spotlight following Mandiant's APT1 report in 2013, which attributed the attacks to the Chinese government. This was followed by indictments of the APT1 actors by the U.S. Department of Justice and foreign policy maneuvers against the Chinese government by the U.S. State Department. It is worth noting that APT1 has been associated with other Chinese threat actors such as APT10 and DragonOK. They have previously used dynamic DNS, and while they occasionally use publicly available backdoors like Poison Ivy and Gh0st RAT, they mostly seem to employ their own custom backdoors. Despite similarities in code observed between OceanSalt samples and those of APT1, these are believed to be false flags. APT1 also creates webmail accounts using real peoples’ names, indicating sophisticated social engineering techniques. Their wider targeting scope coupled with the use of the Winnti backdoor is typical of several suspected Ministry of State Security contractors, including APT1 and APT41. The threat posed by APT1 remains significant due to its extensive capabilities, resources, and the backing of a nation-state.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Comment Panda
2
Comment Panda, also known as Sneaky Panda, Comment Crew, and APT1, is a threat actor associated with Unit 61398 of the People's Liberation Army in China. The term "threat actor" refers to a human entity that executes actions with malicious intent, which could be an individual, a private company, or
Comment Crew
2
Comment Crew, also known as APT1 or Unit 61398, is a significant threat actor attributed to China's People's Liberation Army (PLA) General Staff Department’s 3rd Department. The group has been active since at least 2005-2006, as traced by Mr. Stewart of Dell Secureworks. Among the myriad of Chinese
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
gh0st RAThas used
2
Gh0st RAT is a notorious malware, short for malicious software, that was first created by a Chinese group known as the C. Rufus Security Team and its source code was made publicly available in 2008. This remote admin tool has been used extensively in cyberespionage and surveillance campaigns. A rece
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41is related to
2
APT41, also known as Winnti, Wicked Panda, Barium, Suckfly, Earth Freybug, and Daggerfly, is a sophisticated threat actor attributed to China that has been active since at least 2012. The group targets organizations across various sectors including public administration, professional services, scien
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the APT1 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers
DARKReading
2 months ago
How to Identify a Cyber Adversary: Standards of Proof
MITRE
a year ago
Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media
Securelist
a year ago
IoC detection experiments with ChatGPT
Malwarebytes
a year ago
APT attacks: Exploring Advanced Persistent Threats and their evasive techniques
MITRE
a year ago
The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia
MITRE
a year ago
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
DARKReading
4 months ago
China Infiltrates US Critical Infrastructure in Ramp-up to Conflict