The Advanced Persistent Threat Files: APT1

William Tsing

William Tsing

We’ve heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target.

While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant’s APT1 report in 2013, there’s been a continuous stream of exposure of nation-state hacking at scale.

Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they’re less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we’re going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.

Today, we’re looking at APT1. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.)

Who is APT1?

APT1 has been identified by various parties as unit 61398 of the People’s Liberation Army. They were one of the first APT groups to be publicly named, in a report released by Mandiant (now owned by FireEye) in 2013. APT1 was noted for wide scale and high volume collection, targeting roughly 150 mostly English-speaking companies at time of reporting.

Targeting industries noted as internal development areas by China’s 12th 5 year plan, APT 1 was notable in contrast to more familiar threat groups by their persistence (average observed persistence on target was 356 days), and their ability to compromise a target using multiple attack vectors.

Malware commonly deployed

APT1 is known for deploying the following malware:

  • Poison Ivy
  • Custom backdoors delivered by spear phish
  • Mimikatz
  • SeaSalt

NOTE: It’s generally inappropriate to attribute an attack based solely on the malware deployed. APT actors do not operate in a vacuum; they’re capable of collaborating with each other, as well as selling malware to other groups upon conclusion of an ops cycle.

Should you be worried?

Probably not. After a catastrophic OPSEC failure like the Mandiant report, it’s highly unlikely that the group still exists in the form originally disclosed. Disclosure of specific threat actors in the unit, as well as the unit’s physical location and infrastructure, eroded their counterintelligence posture such that it would be difficult to continue network operations without significant changes.

In 2015, President Obama and Xi Jinping met to discuss how both countries would address cyber espionage. Since that time, broad spectrum indiscriminate collection of the type APT1 engaged in has since waned in favor of targeted attacks, or upstream targeting of service providers to high value targets. If you do not belong to a cleared government contracting company, a large scale telecom, or a law firm providing services to either of the above, you most likely do not face a significant threat from any Chinese APT group.

What might they do next?

Probably not much, due to both political priority changes, and counterintelligence failures exposing experienced operators. However, in October 2018, Mcafee released a report on code reused from an APT1 backdoor employed to launch attacks against targets in the US, South Korea, and Canada. Differences in TTPs suggest this is not an APT1 operation, but instead a new campaign that is reusing old code from a variety of sources.

Given that APT1 themselves were no longer able to operate with impunity, it seems reasonable that they would disseminate tools to threat actor groups with better counterintelligence postures.