Mandiant Releases Report Exposing One of China’s Cyber Espionage Groups

Mandiant®, the leader in advanced threat detection and response solutions, today released a detailed report exposing a multi-year espionage campaign by one of the largest “Advanced Persistent Threat” (APT) groups. The report, “APT1: Exposing One of China’s Cyber Espionage Units”, provides evidence linking one group, designated by Mandiant as APT1, to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Unit Cover Designator 61398) and details how it has systematically stolen confidential data from at least 141 organizations across multiple industries.

“APT1 is among dozens of threat groups Mandiant tracks around the world, and one of more than twenty attributed to China that are engaged in computer intrusion activities,” said Kevin Mandia, Mandiant’s chief executive officer. “Given the sheer amount of data this particular group has stolen, we decided it was necessary to arm and prepare as many organizations as possible to prevent additional losses.” 

In addition to the report, Mandiant is releasing more than 3,000 APT1 indicators to expose and degrade APT1’s infrastructure and allow organizations to bolster their defenses against APT1’s arsenal of digital weapons. The indicators released in conjunction with the report include domain names, MD5 hashes of malware and X.509 encryption certificates.

In addition to the report, Mandiant is releasing more than 3,000 APT1 indicators to expose and degrade APT1’s infrastructure and allow organizations to bolster their defenses against APT1’s arsenal of digital weapons. The indicators released in conjunction with the report include domain names, MD5 hashes of malware and X.509 encryption certificates.

Mandiant’s MCIRT® Managed Defense customers and organizations that have licensed its enterprise-class incident response platform, Mandiant Intelligent Response®, have had previous access to the APT1 indicators released today. With the release of the report, Mandiant is making a set of the APT1 indicators available in the OpenIOC formatso they can also be used in conjunction with Redline™, Mandiant’s free host-based investigative tool.

Additional highlights of the report include:

  • Evidence linking APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398).
  • A timeline of APT1 economic espionage conducted since 2006 against 141 victims across multiple industries.
  • APT1’s modus operandi (tools, tactics, procedures) including a compilation of videos showing actual APT1 activity.
  • The timeline and details of over 40 APT1 malware families.
  • The timeline and details of APT1’s extensive attack infrastructure.

The full report, the indicators and a video detailing APT1 intrusion tactics and attacker activity can be accessed athttp://www.mandiant.com/apt1.