Also known as: Comment Crew, Comment Group
First known appearance: 2006
Threat Actors: Communist Party of China, Chinese People’s Liberation Army Unit 6138
Targets: Corporations across a broad range of industries in English-speaking countries
Objective: To steal broad categories of intellectual property (IP), including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists.
Overview: APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations spanning 20 major industries. APT1 specifically targets industries that China identifies as strategic in its five-year plan. Once APT1 has established access to a network, it periodically revisits that network over months or years.
Associated malware: Trojan Ecltys, Backdoor, Barkiofork, Backdoor. Wakeminap, Trojan.Downbot, Backdoor.Dalbot. Backdoor.Revird, Trojan.Badname, Backdoor.Wualess.
Typical attack vectors: APT1 uses spear-phishing attacks or backdoors to gain a foothold and then uses publically available tools to escalate privileges. Employing built-in operating system commands, APT1 then explores the compromised system and its network environment. Files of interest are packed into archives and sent back to China via file transfer protocol (FTP).