Part I of our series on China’s state-sponsored hackers summarized the motivations, methods, and underlying structure of their cyber divisions. In Part II, we delve into some of China’s well-known Advanced Persistent Threat (APT) groups and their high-profile attacks.
China employs (or has employed) dozens of APT groups over the past decade. They’re so prolific, to cover them all would be outside the scope of this blog. However, here are a few noteworthy examples:
As one could guess from its name, APT 1 was the first Advanced Persistent Threat group ever named. The group began operations in 2006 (a year before Apple released the first iPhone). Part of the People’s Liberation Army (PLA) Unit 61398, they were linked directly to the communist government of China. In fact, according to an in-depth report on APT 1 by the cybersecurity firm Mandiant, they received fiber-optic infrastructure provided by a state-owned corporation under the auspices of national defense. This was no two-Yuan hacking unit. Hundreds of hackers worked in the group from 2006-2014.
The majority of their attacks targeted the United States. They stole sensitive information from the country’s IT, aerospace, and engineering sectors, among many others. Using advanced techniques, they infected networks, pilfered data, and left with only small traces of evidence they were ever there. Specialists in phishing, APT 1 hackers disguised .exe and zip files as common Adobe PDF files to avoid suspicion.
High-profile APT 1 attacks
- The first known attack attributed to the group was against a Japanese wing of the cybersecurity company Symantec. It was unknown at the time, but in 2012 new outlets reported the hackers stole the source code to the Norton antivirus software. With the source code, APT 1 had what they needed to find all the program’s vulnerabilities and exploit them as necessary.
- In 2012, APT 1 infiltrated Telvent’s network. Telvent was a multinational energy company with operations in the United States, Canada, and Europe. This fits the group’s modus operandi of targeting infrastructure-related organizations. It served as a great way to spy on other country’s energy grids and allowed China to steal proprietary smart grid technology.
- One of the most interesting cases is the 2011 hacks by the group Anonymous. Anonymous is a famous hacker gang that rose to prominence by carrying out DDoS attacks against the Church of Scientology in 2008. In 2011, the Guy Fawkes mask-donning hacktivists attacked the cybersecurity firm HBGary Federal in retaliation for its investigations into the group. Strangely, the Mandiant report linked above ties APT 1 to these hacks. Is China a significant part of Anonymous? It seems possible.
APT 1 was extremely prolific, with hundreds if not thousands of victims over its active years. After the aforementioned Mandiant report released, the group slunk back into the cyber shadows. Analysts believe it broke up, and its assets distributed to other, more contemporary hacker groups.
In 2018, malware code associated with APT 1 resurfaced in an attack. Most cybersecurity experts do not believe it was the old hacker gang, however. Most likely, a different Chinese APT group used the old code after APT 1 disbanded.
Coincidentally, 2014 wasn’t only the year APT 1 went silent; it’s also when Mustang Panda became active. They weren’t noticed until three years later when the cybersecurity firm, Crowdstrike, observed them targeting a U.S. think tank.
At first, they mostly set their sights on international non-governmental organizations and targets within the Mongolian government. They soon moved on to bigger fish, however. Recently cybersecurity professionals deemed them responsible for two major incidents.
The global COVID-19 pandemic provided hacker groups such as Mustang Panda the opportunity to phish unsuspecting victims. While unfortunate, it has proven to be an effective tactic. By using emails with malware attachments and links related to the coronavirus, people are more likely to open them. Mustang Panda is targeting Taiwan and Vietnam specifically with fake emails intended to lure victims wanting information about the pandemic.
The Vatican gets attacked
Unapproved religions are not looked at kindly by the Chinese government. The Catholic Church cut off diplomatic ties with China in 1951, and only recently are the frosty relations beginning to thaw. While dialogue between the Holy See and Chinese officials has started, Mustang Panda recently hacked Vatican officials to gather intel about the Church’s intentions. Not exactly establishing new relationships built on trust.
APT 41 is well-known for targeting video game companies in their attacks. Active since at least 2012, they differ from other Chinese hacking groups in that they use custom malware tools typically reserved for espionage for financially-motivated attacks. For example, in 2014, they hacked the Southeast Asian distributor of video games such as League of Legends, FIFA Online, and Path of Exile. They infiltrated their production environments and inserted malware to accumulate millions of dollars in virtual currency. Then, they used money laundering techniques to cash out. Besides video game companies, they also target healthcare, pharmaceuticals, retail, telecoms, education, and other related sectors.
In September of 2020, the United States Department of Justice charged five Chinese citizens affiliated with APT 41 with multiple felonies. They are still at large and are now and thought to be in China.
The tip of the iceberg
There are many more Chinese APT groups out there worth mentioning. There may even be more hacker codename Panda groups than actual pandas in the wild! It’s got to be close. China has the most resources and money out of any of the big state-sponsored hacking institutions. With the amount of success they’ve had, they probably won’t be stopping their activities any time soon. That’s why companies and government organizations worldwide need to be aware of their systems’ dangers and vulnerabilities. Investment in robust cybersecurity protections needs to be standard, not a secondary priority. Protect your data. Protect your company.
Securing data in motion and at rest
AXEL specializes in providing file transfer and storage solutions that prioritize security. Our platform, AXEL Go, utilizes blockchain technology, the InterPlanetary File System (IPFS), and password encryption to keep your important files safe and out of the reach of hacker groups. You can sign up for a free, full-featured Basic account and try it out with 2GB of storage and enough AXEL Tokens to fuel thousands of ordinary shares. Those needing more storage can pay for one of our reasonably-priced premium plans. Stop putting your organization’s sensitive information at risk and use AXEL Go.
 “APT 1 Exposing One of China’s Cyber Espionage Units”, FireEye, 2014, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
 Jim Finkle, “Symantec Hack: Company Admits Hackers stole Norton Source Code in 2006”, The Huffington Post, Jan. 17, 2020, https://www.huffpost.com/entry/symantec-hack-norton-source-code_n_1211043
 Brian Krebs, “Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent”, Krebs on Security, Dec. 26, 2012, https://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/
 Pierluigi Paganini, “Mandiant report links Anonymous 2011 hacks to APT1 campaign”, Security Affairs, Feb. 22, 2013, https://securityaffairs.co/wordpress/12525/hacking/mandiant-report-links-anonymous-2011-hacks-to-apt1-campaign.html
 Brian Barrett, “The Mysterious Return of Years-Old Chinese Malware”, Wired, Oct. 10, 2018, https://webcache.googleusercontent.com/search?q=cache:axHpd0d7GZMJ:https://www.wired.com/story/mysterious-return-of-years-old-chinese-malware-apt1/+&cd=1&hl=en&ct=clnk&gl=us
 “Threat Group Cards: A Threat Actor Encyclopedia”, Thailand Computer Emergency Response Team, https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Mustang%20Panda%2C%20Bronze%20President&n=1
 Shannon Vavra, “Suspected Chinese hackers impersonate Catholic news outlets to gather intel about Vatican diplomacy”, cyberscoop, Nov. 23, 2020, https://www.cyberscoop.com/chinese-hacking-catholic-church-vatican/
 “APT41, a dual espionage and cyber crime operation”, FireEye, https://content.fireeye.com/apt-41/rpt-apt41/
 Catalin Cimpanu, “US charges five hackers from Chinese state-sponsored group APT41”, ZDNet, Sept. 16, 2020, https://www.zdnet.com/article/us-charges-five-hackers-part-of-chinese-state-sponsored-group-apt41/