APT3

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

APT3, also known as the UPS Team, is a highly sophisticated threat group suspected to be based in China and attributed to the Chinese Ministry of State Security (MSS) and Boyusec. This threat actor targets sectors including Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications, and Transportation, aligning with areas highlighted by China's most recent Five Year Plan. APT3's malicious activities support China's political, economic, diplomatic, and military goals, making it not just another cyber threat group but an asset of the MSS. Companies victimized by APT3 are urged to adjust their defense strategies against this formidable adversary. The group has demonstrated advanced capabilities such as using browser-based exploits as zero-days (e.g., Internet Explorer, Firefox, and Adobe Flash Player) and creating their version of EternalSynergy, called UPSynergy. In the Bemstour case, it was assumed that APT3 sniffed the EternalRomance exploit from network traffic and later upgraded it to the equivalent of EternalSynergy using an additional APT3 vulnerability. The phishing emails used by APT3 are usually generic in nature, almost appearing to be spam, and they have been associated with malware like SHOTPUT, COOKIECUTTER, and SOGU. Once APT3 gains access to a target network, they work swiftly and proficiently at enumerating and moving laterally to maintain their access. Their command and control (CnC) infrastructure is difficult to track due to little overlap across campaigns. Similar to APT3’s activity in Operation Clandestine Wolf, the URLs redirect to JavaScript profilers and a malicious Adobe Flash file. APT3's activities underscore the significant threat posed by state-sponsored cyber actors and highlight the need for robust cybersecurity defenses.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
UPS Team	1	None
Boyusec	1	Boyusec, a threat actor group linked to the Chinese Ministry of State Security (MSS), has been implicated in long-running GOTHIC PANDA operations, with elements of the group likely still active despite its official dissolution. Throughout May 2017, IntrusionTruth released a series of blog posts iden

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Chinese

Adobe

Fireeye

Huawei

Vulnerability

Exploit

Apt

Backdoor

Payload

Spam

China

Spearphishing

Zero Day

Firefox

Malware

Phishing

European

Exploits

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
SHOTPUT	Unspecified	1	Shotput is a sophisticated malware associated with Advanced Persistent Threat 3 (APT3), an infamous cyber-espionage group. The malware, also detected as Backdoor.APT.CookieCutter by FireEye, infiltrates systems through phishing emails that appear to be spam. The attack vector involves the use of a F
Sogu	Unspecified	1	SOGU is a malicious software (malware) attributed to TEMP.Hex, a threat actor linked to China. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
APT18	Unspecified	1	APT18, also known as Wekby, is a threat actor suspected to be attributed to China. This group has targeted multiple sectors including Aerospace and Defense, Construction and Engineering, Education, Health and Biotechnology, High Tech, Telecommunications, and Transportation. Despite the significant i
Pirpi	Unspecified	1	None
Gothic Panda	Unspecified	1	None
DragonOK	Unspecified	1	DragonOK, a threat actor group reportedly linked to China, has been associated with various malicious activities, including the deployment of the infamous Remote Access Trojan (RAT) known as FormerFirstRAT. This multi-featured RAT allows threat actors to gain complete control over a targeted machine
APT27	Unspecified	1	APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
Equation Group	Unspecified	1	The Equation Group, a threat actor suspected of having ties to the United States, has been associated with various sophisticated cyber exploits. The group's EpMe exploit, which existed since at least 2013, was the original exploit for the vulnerability later labeled CVE-2017-0005. Another exploit, E

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2015-5119	Unspecified	1	CVE-2015-5119 is a software vulnerability, specifically a flaw in the design or implementation of Adobe Flash. This vulnerability was discovered as part of the Hacking Team data breach that took place in 2015. In this leak, internal data of the Italian cybersecurity firm Hacking Team was exposed, in
Eternalromance	Unspecified	1	EternalRomance is a software vulnerability, specifically an exploit for the Server Message Block version 1 (SMBv1) protocol, which was leaked by the group known as the "ShadowBrokers." It affects Windows XP, Windows Server 2003, and Windows Vista systems. This flaw allows attackers to execute arbitr
Upsynergy	Unspecified	1	UPSynergy is a software vulnerability that was first utilized by the Advanced Persistent Threat group 3 (APT3). This flaw in software design or implementation was exploited when APT3 crafted their own version of the EternalSynergy exploit, originally developed by the Equation Group. The exploit was
Eternalsynergy	Unspecified	1	EternalSynergy is a software vulnerability, also known as Shadow Broker, MS17-010, ETERNALBLUE, or ETERNAL ROMANCE. This flaw exists in the design and implementation of Microsoft's Server Message Block 1.0 (SMBv1) protocol and allows for remote code execution. It poses significant security risks, as

Source Document References

Information about the APT3 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers
MITRE	a year ago	Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3 \| Recorded Future
MITRE	a year ago	Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign \| Mandiant
MITRE	a year ago	The Story of Jian - How APT31 Stole and Used an Unknown Equation Group 0-Day - Check Point Research
MITRE	a year ago	Two Birds, One STONE PANDA
MITRE	a year ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
MITRE	a year ago	Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak \| Mandiant