APT1

Threat Actor updated 7 months ago (2024-05-04T20:54:52.036Z)

Download STIX

Preview STIX

APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to take complete control over a victim's machine. APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations across various sectors including Information Technology, Aerospace, Public Administration, and more, demonstrating the capability and intent to steal from multiple organizations simultaneously. The size of APT1’s infrastructure suggests a large organization with potentially hundreds of human operators. This group came into the spotlight following Mandiant's APT1 report in 2013, which attributed the attacks to the Chinese government. This was followed by indictments of the APT1 actors by the U.S. Department of Justice and foreign policy maneuvers against the Chinese government by the U.S. State Department. It is worth noting that APT1 has been associated with other Chinese threat actors such as APT10 and DragonOK. They have previously used dynamic DNS, and while they occasionally use publicly available backdoors like Poison Ivy and Gh0st RAT, they mostly seem to employ their own custom backdoors. Despite similarities in code observed between OceanSalt samples and those of APT1, these are believed to be false flags. APT1 also creates webmail accounts using real peoples’ names, indicating sophisticated social engineering techniques. Their wider targeting scope coupled with the use of the Winnti backdoor is typical of several suspected Ministry of State Security contractors, including APT1 and APT41. The threat posed by APT1 remains significant due to its extensive capabilities, resources, and the backing of a nation-state.

Description last updated: 2024-05-04T20:30:15.277Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Comment Panda is a possible alias for APT1. Comment Panda, also known as Sneaky Panda, Comment Crew, and APT1, is a threat actor associated with Unit 61398 of the People's Liberation Army in China. The term "threat actor" refers to a human entity that executes actions with malicious intent, which could be an individual, a private company, or	2
Comment Crew is a possible alias for APT1. Comment Crew, also known as APT1 or Unit 61398, is a significant threat actor attributed to China's People's Liberation Army (PLA) General Staff Department’s 3rd Department. The group has been active since at least 2005-2006, as traced by Mr. Stewart of Dell Secureworks. Among the myriad of Chinese	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

This is a test note

@Blue Unicorn, 3 months ago

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The gh0st RAT Malware is associated with APT1. Gh0st RAT is a malicious software (malware) that has been in use for over 15 years. It is an open-source remote access tool known for exploiting vulnerabilities in systems, most notably the PHP flaw which it targeted within 24 hours of disclosure. This malware was observed as part of Operation Diplo	has used	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT41 Threat Actor is associated with APT1. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	is related to	2

Source Document References

Information about the APT1 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 months ago	How to Identify a Cyber Adversary: Standards of Proof
DARKReading	10 months ago	China Infiltrates US Critical Infrastructure in Ramp-up to Conflict
MITRE	2 years ago	Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers
MITRE	2 years ago	Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
MITRE	2 years ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
MITRE	2 years ago	The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia
MITRE	2 years ago	Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media
Securelist	2 years ago	IoC detection experiments with ChatGPT
Malwarebytes	2 years ago	APT attacks: Exploring Advanced Persistent Threats and their evasive techniques