1. Home
  2. Groups
  3. APT1

APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

ID: G0006
Associated Groups: Comment Crew, Comment Group, Comment Panda
Version: 1.4
Created: 31 May 2017
Last Modified: 26 May 2021

Associated Group Descriptions

Name Description
Comment Crew

[1]
Comment Group

[1]
Comment Panda

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

APT1 used the commands net localgroup,net user, and net group to find accounts on the system.[1]
Enterprise T1583 .001 Acquire Infrastructure: Domains

APT1 has registered hundreds of domains for use in operations.[1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT1 has used RAR to compress files before moving them outside of the victim network.[1]
Enterprise T1119 Automated Collection

APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.[1]
Enterprise T1584 .001 Compromise Infrastructure: Domains

APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.[1]
Enterprise T1005 Data from Local System

APT1 has collected files from a local victim.[1]
Enterprise T1114 .001 Email Collection: Local Email Collection

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.[1]
.002 Email Collection: Remote Email Collection

APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.[1]
Enterprise T1585 .002 Establish Accounts: Email Accounts

APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[1][3]
Enterprise T1135 Network Share Discovery

APT1 listed connected network shares.[1]
Enterprise T1588 .001 Obtain Capabilities: Malware

APT1 used publicly available malware for privilege escalation.[1]
.002 Obtain Capabilities: Tool

APT1 has used various open-source tools for privilege escalation purposes.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT1 has been known to use credential dumping using Mimikatz.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT1 has sent spearphishing emails containing malicious attachments.[1]
.002 Phishing: Spearphishing Link

APT1 has sent spearphishing emails containing hyperlinks to malicious files.[1]
Enterprise T1057 Process Discovery

APT1 gathered a list of running processes on the system using tasklist /v.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

The APT1 group is known to have used RDP during operations.[4]
Enterprise T1016 System Network Configuration Discovery

APT1 used the ipconfig /all command to gather network configuration information.[1]
Enterprise T1049 System Network Connections Discovery

APT1 used the net use command to get a listing on network connections.[1]
Enterprise T1007 System Service Discovery

APT1 used the commands net start and tasklist to get a listing of the services on the system.[1]
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

The APT1 group is known to have used pass the hash.[1]

Software

ID Name References Techniques
S0017 BISCUIT [1] Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Asymmetric Cryptography, Fallback Channels, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Screen Capture, System Information Discovery, System Owner/User Discovery
S0119 Cachedump [1] OS Credential Dumping: Cached Domain Credentials
S0025 CALENDAR [1] Command and Scripting Interpreter: Windows Command Shell, Web Service: Bidirectional Communication
S0026 GLOOXMAIL [1] Web Service: Bidirectional Communication
S0008 gsecdump [1] OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager
S0100 ipconfig [1] System Network Configuration Discovery
S0121 Lslsass [1] OS Credential Dumping: LSASS Memory
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [1] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Domain Account, Create Account: Local Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0122 Pass-The-Hash Toolkit [1] Use Alternate Authentication Material: Pass the Hash
S0012 PoisonIvy [1] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0006 pwdump [1] OS Credential Dumping: Security Account Manager
S0345 Seasalt [3][5] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Obfuscated Files or Information, Process Discovery
S0057 Tasklist [1] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0109 WEBC2 [1] Command and Scripting Interpreter: Windows Command Shell, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer
S0123 xCmd [3] System Services: Service Execution

References

  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  3. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  1. FireEye Labs. (2014, May 20). The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity. Retrieved November 4, 2014.
  2. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.