Mandiant® - Detect. Respond. Contain.

Mandiant Intelligence Center Report

APT1: Exposing One of China's Cyber Espionage Units

APT1

APT1: Exposing One of China's Cyber Espionage Units

This report is focused on the most prolific cyber espionage group Mandiant tracks: APT1. This single organization has conducted a cyber espionage campaign against a broad range of victims since at least 2006.

Download Report
Appendix

Digital Appendix & Indicators

Access more than 3,000 APT1 indicators including domain names, IP addresses, X.509 encryption certificates and MD5 hashes of malware in APT1's arsenal of digital weapons.

Download Appendix

Highlights

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. The scale and impact of APT1's operations compelled us to write this report. In an attempt to bolster defenses against APT1 operations Mandiant is also releasing more than 3,000 indicators as part of the appendix to this report, which can be used with our free tools and our commercial products to search for signs of APT attack activity.

Highlights of the report include:

  • APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
  • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations.
  • APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
  • APT1 maintains an extensive infrastructure of computer systems around the world.
  • In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
  • The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
  • In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
  • Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.

Mandiant_APT1_Report.pdf
MD5: 936FEB234F60CFBF6916BA61FBAB2781
SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84

Mandiant_APT1_Report_Appendix.zip
MD5: FD103F16BBBB28162C23BE3A47371AA9
SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154