>samit_hota
Back to adversary profiles
G0006HighActive

APT1 Threat Profile: China's Pioneering Cyber Espionage Unit

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intellectual Property Theft, Economic Advantage
Aliases
Comment Crew, Comment Group, Comment Panda
Target Sectors
Aerospace, Technology, Government, Defense, Finance, Healthcare, Energy, IT, Telecommunications, Manufacturing, Education
Associated Malware
WEBC2, Poison Ivy, Mimikatz, GETMAIL, MAPIGET, AURIGA, BANGAT, CALENDAR, COMBOS, Seasalt/Oceansalt
#threat-actor#g0006

Overview

APT1, also known by aliases such as Comment Crew, Comment Group, and Comment Panda, is a highly sophisticated and prolific advanced persistent threat (APT) group with a long history of state-sponsored cyber espionage. This group is widely attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, specifically identified by its Military Unit Cover Designator (MUCD) as Unit 61398. Operating from a 12-story building in the Pudong New Area of Shanghai, China, APT1 has been actively engaged in cyber operations since at least 2006. The group is believed to consist of dozens to hundreds of highly trained cybersecurity personnel, many of whom are proficient in English.

The primary motivation behind APT1’s activities is large-scale cyber espionage, with a heavy emphasis on stealing intellectual property and confidential data to serve China’s economic and strategic interests. They have systematically targeted a broad spectrum of industries critical to national security and economic stability. Their victims span sectors including aerospace, technology, government, defense, finance, healthcare, energy, education, IT, telecommunications, and manufacturing. Geographically, APT1 has focused predominantly on English-speaking countries, with a significant number of their reported victims (approximately 87%) being headquartered in the United States and Europe. The scale of their operations is immense, having reportedly compromised over 140 organizations across 20 industries and exfiltrated hundreds of terabytes of data. APT1’s operations are characterized by their persistence, often maintaining access to victim networks for an average of 356 days, with some intrusions lasting for nearly five years.

Tactics & Techniques

APT1 employs a well-defined and methodical attack lifecycle designed for long-term infiltration and data exfiltration.

Their initial access typically relies on spear phishing campaigns, where highly targeted emails containing malicious attachments or links are sent to employees. These attachments often exploit known vulnerabilities to deliver malicious payloads. The group has also utilized watering hole attacks, compromising legitimate websites frequented by their targets to infect visitors with malware.

Once inside a network, APT1 leverages custom malware and remote access tools to establish persistence. They are known for exploiting vulnerabilities and using tools like Mimikatz to gain elevated privileges and dump credentials from memory. The group often employs masquerading tactics, naming their malware after legitimate processes (e.g., AcroRD32.exe) to evade detection. They also utilize “living-off-the-land” (LOL) techniques, using legitimate system tools and processes to operate stealthily within compromised networks.

For discovery, APT1 extensively uses standard Windows command-line tools such as tasklist /v, net user, ipconfig /all, net localgroup, net group, and net use to map networks, list running processes, enumerate accounts, and identify connected network shares. Lateral movement within the network is often achieved through Remote Desktop Protocol (RDP) and pass-the-hash techniques.

Their command and control (C2) communication is a notable aspect of their operations, with the group earning the “Comment Crew” moniker for their signature method of embedding commands within HTML comments on attacker-controlled web pages. This technique allows their WEBC2 backdoors to retrieve and execute instructions covertly. APT1 also registers hundreds of domains and uses compromised domains for C2.

For data exfiltration, APT1 utilizes automated scripts and custom tools like GETMAIL and MAPIGET to collect specific data, especially emails from archived Outlook PST files and Exchange servers. Collected data is frequently compressed using RAR before being moved outside the victim network.

Notable Campaigns

APT1 has been linked to numerous significant cyber espionage campaigns, demonstrating a consistent focus on strategic data theft.

One of their most defining activities, highlighted in the seminal 2013 Mandiant report, was a multi-year, enterprise-scale campaign involving the theft of hundreds of terabytes of data from at least 141 organizations globally, ongoing since at least 2006. This extensive operation aimed at stealing intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, and communication data.

The group is also associated with Operation Shady RAT, a campaign spanning from 2006 to 2011, which targeted at least 71 institutions across 14 different countries, including government agencies and private sector entities in the United States, Canada, and Japan.

Between 2011 and 2013, APT1 was implicated in a campaign targeting critical infrastructure in the United States, specifically 23 oil and natural gas pipeline operators. This operation reportedly involved reconnaissance missions with the intent to develop capabilities to cause physical damage to pipeline systems, and compromises were confirmed for at least 13 of these organizations.

While some sources mention APT1’s involvement in Operation Aurora (2009) targeting major technology companies for intellectual property, and suggest a potential link to Operation Cloud Hopper (infiltrating managed service providers), it’s important to note these attributions can sometimes involve broader Chinese-affiliated groups or similar TTPs. The “Siesta” campaign, identified by FireEye, also shows tools and modus operandi similar to APT1, raising the possibility of the group’s involvement or the re-use of their tactics.

Associated Malware & Tools

APT1 utilizes a diverse arsenal of custom malware and readily available tools, adapting them to their specific espionage objectives.

A signature component of their toolkit is the WEBC2 backdoor, which gave the group its “Comment Crew” alias. This custom malware is designed to retrieve commands hidden within HTML comment tags on attacker-controlled web pages, allowing for covert command and control communication.

Other custom backdoors and malware variants include AURIGA, BANGAT, CALENDAR, and COMBOS, which are used for persistence, data exfiltration, and maintaining C2 communications. The group has also been known to use public or commercially available tools. Poison Ivy, a well-known remote access Trojan (RAT), has been frequently deployed by APT1.

For credential access and privilege escalation, APT1 extensively uses tools like Mimikatz and gsecdump to dump credentials from memory. To exfiltrate emails, they employ specialized utilities called GETMAIL and MAPIGET, which extract data from archived Outlook PST files and live Exchange servers, respectively. Data collected for exfiltration is commonly compressed using RAR.

More recently, the resurfacing of APT1 implant code as part of the Seasalt and Oceansalt malware families, discovered in attacks targeting South Korean, United States, and Canadian entities, suggests a continued evolution or re-use of their techniques. The group also leverages common system utilities and batch scripting for task automation and system reconnaissance.

Current Status

The public exposure of APT1’s extensive operations by Mandiant in February 2013 represented a landmark event in cybersecurity, directly attributing state-sponsored cyber espionage to a specific unit of the Chinese military. Following this report, there was an initial curtailment of the direct operational activities explicitly identified as APT1.

However, the entity to which APT1 is attributed, PLA Unit 61398, remains active. Reports from as late as 2014 indicated that APT1 itself was still active and garnering interest, suggesting an adaptation rather than complete cessation. In August 2013, security firms reported that APT1 and other Chinese hacking groups resumed their cyber espionage operations despite the public exposure. Furthermore, analyses in recent years indicate that the tactics, techniques, and procedures (TTPs) associated with APT1 continue to be observed and repurposed by other Chinese threat groups, signifying a lasting legacy and influence. The resurfacing of APT1 implant code in malware like Seasalt and Oceansalt also suggests that elements of their operational methodology persist, even if under new guises or by related actors.

In May 2014, the U.S. Department of Justice further underscored the gravity of APT1’s activities by indicting five members of PLA Unit 61398 on charges of theft of confidential business information and intellectual property from U.S. commercial firms, marking a direct confrontation with Beijing over state-sponsored hacking. While the direct, easily traceable “APT1” activities may have shifted or become more obfuscated, the underlying mandate for cyber espionage from its attributed Chinese military unit continues, with its pioneering TTPs influencing ongoing cyber operations.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call