Introduction
APT1 is a Chinese cyber espionage group that has been conducting cyber espionage against a broad range of victims.
Activities and Tactics
Targeted Sectors: Government, Defense, Technology, Private sector
Country of Origin: π¨π³ China
Risk Level: High
First Seen: 2006
Last Activity: 2023
Incident Type: Espionage
Suspected Victims: United States, Taiwan, Israel, Norway, United Arab Emirates, United Kingdom, Singapore, India, Belgium, South Africaβ¦
Notable Campaigns
- Shady RAT
- GhostNet
Tactics, Techniques, and Procedures (TTPs)
- T1003.001 LSASS Memory
- T1057 Process Discovery
- T1005 Data from Local System
- T1550.002 Pass the Hash
- T1583.001 Domains
- T1560.001 Archive via Utility
- T1119 Automated Collection
- T1114.002 Remote Email Collection
- T1566.002 Spearphishing Link
- T1016 System Network Configuration Discovery
- T1114.001 Local Email Collection
- T1588.001 Malware
- T1049 System Network Connections Discovery
- T1585.002 Email Accounts
- T1584.001 Domains
- T1036.005 Match Legitimate Resource Name or Location
- T1087.001 Local Account
- T1566.001 Spearphishing Attachment
- T1135 Network Share Discovery
- T1059.003 Windows Command Shell
- T1588.002 Tool
- T1007 System Service Discovery
- T1021.001 Remote Desktop Protocol
ATT&CK technique IDs (denormalized)
- T1003.001
- T1005
- T1007
- T1016
- T1021.001
- T1036.005
- T1049
- T1057
- T1059.003
- T1087.001
- T1114.001
- T1114.002
- T1119
- T1135
- T1550.002
- T1560.001
- T1566.001
- T1566.002
- T1583.001
- T1584.001
- T1585.002
- T1588.001
- T1588.002
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 2 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- Hacking Team UEFI Rootkit
- WEBC2:
- BISCUIT and many others:
MITRE ATT&CK Software
- Seasalt (S0345) β malware
- ipconfig (S0100) β tool
- BISCUIT (S0017) β malware
- Cachedump (S0119) β tool
- PsExec (S0029) β tool
- GLOOXMAIL (S0026) β malware
- Lslsass (S0121) β tool
- PoisonIvy (S0012) β malware
- WEBC2 (S0109) β malware
- Mimikatz (S0002) β tool
- gsecdump (S0008) β tool
- Pass-The-Hash Toolkit (S0122) β tool
- CALENDAR (S0025) β malware
- Tasklist (S0057) β tool
- Net (S0039) β tool
- xCmd (S0123) β tool
- pwdump (S0006) β tool
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [6] Mandiant APT1 Mandiant. (n.d.). APT1 Exposing One of Chinaβs Cyber Espionage Units. Retrieved July 18, 2016. [7] CrowdStrike Putter Panda Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.