APT 1, COMMENT PANDA – PLA Unit 61398, CHINA
| Creation Date | 09/25/2023 |
| Last Update | 09/25/2023 |
| Author(s) | Jeremy Pickett, MixMode |
| Change Log | 0.04 Technical Updates
0.03 Initial MixMode version |
Details on APT1
PLA Unit 61398, commonly known as APT1 or Comment Panda (Advanced Persistent Threat 1), is a hacker group believed to be a unit of China's People's Liberation Army. This group has been implicated in various cyber espionage activities targeted primarily at the United States and other Western nations. Mandiant, a cybersecurity firm, released a comprehensive report in 2013 that traced APT1 activities to a 12-story building in Shanghai, suggesting the group had direct ties to the PLA.
Crews/Units/Gangs/Individuals Behind It
The unit is believed to consist of hundreds, possibly even thousands, of skilled hackers trained in advanced cyber-espionage tactics from the People’s Liberation Army.
Timelines and Details
APT1 has been active since at least 2006, 2013, and 2014, with an increasing tempo of operations over the years. Their tactics generally include spear-phishing, social engineering, and the use of malware to exfiltrate data from target networks. They've been implicated in stealing intellectual property, sensitive business data, and even government secrets. The group appeared to go silent for a number of years, only to resurface again in 2018.
Response
The U.S. and other nations have taken a diplomatic route in response, with indictments against certain alleged members of the group. Sanctions have been discussed as well. On the cybersecurity front, the identification of their specific tactics, techniques, and procedures (TTPs) has led to the development of countermeasures, including improved intrusion detection systems and threat-hunting capabilities.
Knock-On Effects
The revelations about APT1 led to increased awareness and investment in cybersecurity measures, not just in the U.S. but globally. It has resulted in companies and governments becoming more vigilant, adopting zero-trust models, and improving multi-factor authentication among other security improvements. However, the group's exposure hasn't entirely halted their activities; it has led to an evolution of their tactics, making them stealthier and more sophisticated.
In the longer term, the exposure of APT1's activities has had geopolitical repercussions, increasing tensions between the U.S. and China, particularly in the areas of trade and technology. The group's activities have contributed to a larger conversation about cybersecurity on the international stage, influencing policy decisions and strategic collaborations among countries.
General Detection Techniques
- Initial foothold usually through Spearphishing, not generalized phishing
- DNS Beaconing
- Command and Control servers via HTTP/HTTPS, including (not limited to):
○ Rarely used GET/POST variables
○ BASE64 encoded parameters
○ Chinese source/destination among terabytes of forensics
Associated Malware and Tools
- GIF89a
- ShadyRAT
- Shanghai Group
- Byzantine Candor
- Oceansalt
Detection Classifications
| Crowdstrike | Comment Panda |
| Mandiant | APT1 |
| Symantec | |
| Palo Alto | |
| Cisco | Group 3 |
| MITRE | G0006 https://attack.mitre.org/groups/G0006/ |
References
- https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network
- https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
- https://www.mandiant.com/resources/reports/apt1-exposing-one-chinas-cyber-espionage-units
- https://circleid.com/posts/20201215-revisiting-apt1-iocs-with-dns-and-subdomain-intelligence