>samit_hota
Back to adversary profiles
G0022HighDormant

APT3 Profile: A Legacy of Chinese Cyber Espionage

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intellectual Property Theft, Economic Espionage, Intelligence Gathering
Aliases
Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110
Target Sectors
Aerospace, Defense, Construction and Engineering, Telecommunications, Transportation, High-Tech, Government
Associated Malware
HTran, Pirpi, PlugX, Sogu, Kaba, SHOTPUT, COOKIECUTTER, Bemstour, DoublePulsar, Hupigon
#threat-actor#g0022

Overview

APT3, also tracked under aliases such as Gothic Panda, Pirpi, UPS Team, and Buckeye, is a highly sophisticated China-based cyber espionage group. First observed around 2007, and active until approximately mid-2017, this group has been attributed to the Chinese Ministry of State Security (MSS), with specific links to the Guangzhou Boyu Information Technology Company, Ltd. (Boyusec), which intelligence reports indicate acted as a front. The group’s primary motivation was to serve Chinese national interests through intelligence gathering and economic espionage. This included the theft of intellectual property, defense technology blueprints, and sensitive information crucial for China’s economic and military modernization. APT3 consistently demonstrated high technical proficiency, including the rapid exploitation of zero-day vulnerabilities.

Historically, APT3’s targets primarily encompassed organizations in the United States and the United Kingdom, focusing on critical sectors such as aerospace, defense, construction and engineering, telecommunications, and high-tech industries. A notable shift in their targeting patterns occurred around 2015-2016, where the group pivoted to focus on political organizations in Hong Kong, aligning with evolving geopolitical interests and political tensions. The group’s operations often targeted entities involved in innovation and policy development, enabling them to acquire valuable economic and strategic intelligence.

Tactics & Techniques

APT3 employed a well-structured and adaptable approach to compromise targets, aligning with various stages of the cyber kill chain. Initial access was frequently gained through spear-phishing emails containing malicious links, designed to exploit known software vulnerabilities. They also extensively utilized watering hole attacks, compromising legitimate websites to distribute malware selectively to their intended victims.

A hallmark of APT3’s operations was their agility in exploiting both zero-day and n-day vulnerabilities, particularly in widely used software like Adobe Flash Player, Internet Explorer, and Microsoft Office. Once inside a network, APT3 actors demonstrated a knack for maintaining persistence and expanding their foothold. They commonly leveraged Windows administrative tools, PowerShell scripts, and scheduled tasks for executing malicious code. Persistence mechanisms included the use of stolen credentials, creating new accounts, hijacking accessibility features, and placing malware in startup folders.

For lateral movement, APT3 relied on credential theft, including dumping passwords from browsers and injecting into lsass.exe to extract credentials. They were also known to copy files to Windows Admin Shares (like ADMIN$) and enable Remote Desktop Protocol (RDP) for interactive access. To evade detection, APT3 obfuscated files and information, packed their tools, and meticulously removed indicators of compromise. They also employed techniques such as DLL side-loading with legitimate applications like Chrome to mask their malicious activities.

Notable Campaigns

APT3 is publicly known for several significant cyber espionage campaigns that showcased their advanced capabilities:

  • Operation Clandestine Fox (2014): This operation involved the exploitation of a then-unknown Internet Explorer zero-day vulnerability (CVE-2014-1776). The campaign used spear-phishing and watering hole attacks, targeting IE6 through IE11, specifically focusing on versions 9 through 11.
  • Operation Clandestine Wolf (2015): In this campaign, APT3 exploited an Adobe Flash Player zero-day (CVE-2015-3113) as part of a phishing campaign.
  • Operation Double Tap (2014): APT3 exploited two already-known vulnerabilities, CVE-2014-6332 and CVE-2014-4113, in a spear-phishing campaign. This operation signaled a strategic shift by the group, demonstrating a focus on increasing the volume of attacks through the use of known exploits alongside social engineering.

The group’s activities culminated in a United States Department of Justice (DoJ) indictment in November 2017, which identified three Chinese nationals as Boyusec employees involved in compromising U.S. company networks.

Associated Malware & Tools

APT3 utilized a diverse arsenal of custom and publicly available tools and malware to achieve their objectives. Key components included:

  • Backdoors and Remote Access Trojans (RATs): Pirpi, Sogu (also known as Gh0st), and Kaba were prominent custom backdoors used for maintaining persistent access and exfiltrating data. Hupigon was another backdoor used.
  • Tunneling and Proxy Tools: HTran and SOCKS proxy were frequently employed for establishing covert communication channels and evading detection.
  • Exploit Kits and Utilities: The group was proficient in developing and deploying custom exploit toolkits. They also utilized tools for stealing user credentials such as LaZagne and those designed to dump passwords from browsers.
  • Other Noteworthy Tools: SHOTPUT and COOKIECUTTER were associated with APT3 operations. Bemstour was a custom exploit tool used to deliver the DoublePulsar backdoor. They also used an APT3 Keylogger for keystroke recording, OSInfo for system enumeration, RemoteCMD for remote command execution, shareip, TTCalc, and w32times.
  • Advanced Exploits: Notably, APT3 demonstrated access to sophisticated tools, including those from the NSA’s Equation Group (such as DoublePulsar and EternalBlue) which they were observed using in 2016, before these tools were publicly leaked by the Shadow Brokers in 2017. This raised significant questions regarding their intelligence acquisition capabilities.

Current Status

As a distinct operational entity, APT3’s activities appear to have significantly diminished and largely ceased around mid-2017. This disruption is primarily attributed to increased public scrutiny, detailed attribution by cybersecurity researchers, and subsequent legal actions, including the 2017 U.S. DoJ indictment.

While APT3 may no longer operate in its previous capacity, its legacy and influence are still evident within the broader Chinese cyber threat landscape. Security analysts suggest that APT3’s personnel, tools, or methodologies might have been absorbed into other China-aligned threat groups, such as APT10 and APT17. This reflects a fluid ecosystem where new actors emerge, often building upon the techniques and tradecraft pioneered by groups like APT3. Consequently, while the specific APT3 designation might be considered largely dormant, the techniques and strategic objectives it pursued continue to impact the nature of modern cyber threats from China-nexus actors. Organizations should remain vigilant for TTPs reminiscent of APT3, as these foundational methods continue to evolve within successor groups.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call