APT1

Your consent is required to display this content from youtube - Privacy Settings

APT1 is a Chinese nation state advanced persistent threat. The 3rd and 4th Departments of the People’s Liberation Army (PLA) General Staff Department (GSD) supposedly houses China’s electronic warfare operations. PLA Unit 61398 is the Military Unit Cover Designator of the Chinese state sponsored advanced persistent threat that operates out of the 2nd Bureau of the 3rd Department of PLA GSD, located off Datong road in Pudong in Shanghai.

Click to Share This Post

PLA Unit 61398, it is tasked with computer network operations. It operates on four large networks in Shanghai. Two of these networks serve the Pudong region. The Unit has a dedicated fiber optics connection that was paid for in the name of national defense. The 3rd Department employs over 130,000 employees. Unit 61398 consists of personnel who are proficient in English and trained in computer security and computer network operations. Members of Unit 61398 use Chinese (Simplified) keyboard settings. Most of the IP addresses and the infrastructure used in the attacks trace back to China.

PLA Unit 61398 targets sectors that are of interest to China’s 12th Five Year Plan. They are large enough and well-resourced enough that it can simultaneously compromise dozens of organizations. This adversary has breached over 150 organizations since its inception in 2002. The majority of victims are located in the United States. Information Technology organizations, Aerospace firms, Public Administration agencies and other technology heavy sector are targets for Unit 61398. The adversary targets intellectual property data and financial data. It exfiltrates intellectual property data, proprietary documents, business plans, emails, and contacts.

Attacks begin with spear phishing emails that contain a malicious file or a malicious link. The emails are personalized to the target and may not easily be distinguished from legitimate emails. Attachments are usually in the ZIP format. Once the victim system is compromised, the attacker establishes a persistent presence by installing a backdoor from the dropper delivered from the email. The backdoor initiates contact with the C2C infrastructure from inside the network so that the traffic can bypass internal firewalls. The actor typically relies upon WEBC2 backdoors, which are minimally featured beachhead backdoors. WEBC2 can only communicate with a C2C server through comments. Sometimes the BISCUIT backdoor is used if more functionality is needed. BISCUIT uses the HTTP protocol for communication and it features modules to capture screenshots, log keystrokes, record system information, modify processes, modify the registry, execute code, log off or shut down the session, and other features.

PLA Unit 61398 remains persistent on the compromised system and it may revisit the system over the course of months or years. The group remains on the network for 1-5 years. During this time, the group escalates their privileges using login credentials that it gathers from publicly available tools built into the initial malware. Next, they conduct network reconnaissance, by typing commands into the command shell. Finally, they laterally move across the network to infect new systems and they maintain their presence on the infected network. Unit 61398 compresses stolen data into multiple files with a RAR archiving utility and exfiltrates the data through their backdoor or through File Transfer Protocol (FTP).

Click To share this Post

Type: Nation-State-Sponsored

APT1 Status: Believed Active

APT1 Other Names: Comment Crew/ Comment Panda/ PLA Unit 61398/ TG-8223/ BrownFox/ Group 3/ GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor/ Operation Shady RAT

APT1 Active Since/Discovered: 2002

APT1 Targets: U.S., United Nations, Canada, South Korea, Taiwan, and Vietnam

APT1 Target Sectors: intellectual property, trade secrets, financial data, organizational data, or systems in the Energy, Information Technology, Aerospace, Defense, Manufacturing, Public Administration, or other governmental or technical sectors

Malware:

  • Main malware: WEBC2, BISCUIT
    • communicate via HTTP
    • capture screenshots
    • log keystrokes
    • execute code
    • log off or shut down the session
    • Stolen data exfiltrated via FTP as multiple password protected RAR files
  • Other Families (44 listed): AURIGA, BANGAT, BISCUIT, BOUNCER, CALENDAR,  COMBOS, COOKIEBAG (TROJAN.COOKIES), DAIRY, GETMAIL, GLOOXMAIL (TROJAN.GTALK), GOGGLES (TROJAN.FOXY), GREENCAT, HACKFASE, HELAUTO, KURTON, LIGHTBOLT, LIGHTDART, LONGRUN, MANITSME, MAPIGET, MINIASP, NEWSREELS, SEASALT, STARSYPOUND, SWORD, TABMSGSQL (TROJAN.LETSGO), TARSIP-ECLIPSE, TARSIP-MOON, WARP, WEBC2-AUSOV, WEBC2-BOLID, WEBC2-CLOVER, WEBC2-CSON, WEBC2-DIV, WEBC2-GREENCAT,  WEBC2-HEAD, WEBC2-KT3, WEBC2-QBP, WEBC2-RAVE, WEBC2-TABLE, WEBC2-TOCK, WEBC2-UGX, WEBC2-Y21K, WEBC2-YAHOO

Preferred Attack Vector:  Exploit comment feature on web applications; Spear-phishing emails (ZIP or links)

TTP:

  • Compromise comment feature of web applications
  • May remain on compromised network for 1-5 years
  • May revisit the system over the course of months or years

Unique:

  • The Second Operational Bureau of the Third Department of the People’s Liberation Army (PLA) General Staff Department (GSD)
  • Believed located off Datong road in Pudong in Shanghai
  • Operates on four large networks in Shanghai
  • Consists of personnel who are proficient in English and trained in computer security and computer network operations
  • Has breached over 150 organizations since 2002
Click Here to share this post