Scroll Top

APT 1 (PLA UNIT 61398) Unveiling the digital dragon, China’s notorious Cyber Espionage Unit

From Pudong to Pervasive Espionage: The Intriguing Tale of PLA Unit 61398

In the vast realm of cyberspace, where anonymity and interconnectedness reign supreme, the emergence of advanced persistent threats (APTs) has altered the landscape of global security. Among these enigmatic entities, one name resonates with both awe and apprehension – PLA Unit 61398, also known as APT1, Comment Crew, Comment Panda, GIF89a, and Byzantine Candor. This article delves into the riveting saga of this People’s Liberation Army (PLA) advanced persistent threat unit, whose clandestine operations have shaken the foundations of cybersecurity.

Origins and infamous monikers
Operating under the Military Unit Cover Designator (MUCD) 61398, PLA Unit 61398 is a Chinese cyber espionage unit that has gained notoriety for its alleged involvement in sophisticated hacking attacks. The group is stationed in the bustling city of Pudong, Shanghai, China’s digital hub. Its enigmatic nature is further underscored by an array of aliases – from the evocative “Comment Crew” and “Comment Group” to the more cryptic “GIF89a” and “Byzantine Candor”. This multi-faceted nomenclature hints at the complexity and ingenuity that define this covert operation.

A history of espionage
The timeline of PLA Unit 61398’s exploits spans years, with its activities becoming increasingly audacious and wide-ranging. Notably, a 2020 report from DNA India unveiled the unit’s involvement in espionage targeting the Indian military, adding another layer of intrigue to its already mystifying profile.

However, the pivotal moment in unveiling APT1’s activities came in 2014 when the US Department of Justice announced an indictment against five individuals believed to be members of the unit. These officers – Huang Zhenyu, Wen Xinyu, Sun Kailiang, Gu Chunhui, and Wang Dong – were charged with stealing confidential business information and intellectual property from US commercial firms. Forensic evidence traced their operations to a building in Pudong, Shanghai, a revelation that shed light on the physical roots of their digital campaigns.

The anatomy of APT1
A landmark report from the computer security firm Mandiant unearthed the inner workings of PLA Unit 61398, revealing its alleged connections to China’s 2nd Bureau of the PLA General Staff Department’s (GSD) 3rd Department. This report served as a cornerstone in unraveling APT1’s activities, including its modus operandi and sophisticated attack infrastructure.

One of APT1’s distinct tactics involves compromising internal software “comment” features on legitimate websites, using them as gateways to infiltrate target computers. This strategy earned the unit its monikers “Comment Crew” and “Comment Group”. Over the years, APT1’s voracious appetite for intellectual property led to the theft of trade secrets and confidential information from a myriad of foreign businesses and organizations across diverse sectors, ranging from aeronautics and arms to energy and software.

The global impact
The reach of APT1’s cyber campaigns extended far beyond the borders of China. Notably, researchers at Dell SecureWorks linked APT1 to Operation Shady RAT, an extensive computer espionage campaign that targeted over 70 organizations across multiple countries. The interconnectedness of these operations underscored the unit’s global impact and underscored the challenges faced by nations grappling with this new dimension of warfare.

China’s shifting stance
China’s official stance on cyber activities underwent a transformation. Initially denying any involvement in hacking, the Chinese government’s narrative shifted in 2013, acknowledging the existence of secretive cyber warfare units within both the military and civilian sectors. This change marked a significant shift in transparency, albeit with the details of these units’ operations remaining veiled in speculation.

Attribution and ongoing threat
Despite the exposure and indictment of five individuals linked to APT1, the threat posed by this entity continues to persist. Its extensive arsenal of malware, backdoors, and Trojan horses, coupled with its intricate web of attack infrastructure, makes it a formidable adversary. The article sheds light on known tools and malware employed by APT1, further highlighting the complexity of countering this cyber menace.

Conclusion
In the rapidly evolving landscape of cybersecurity, APT1 stands as a testament to the capabilities of nation-state actors to wield digital tools for strategic ends. From its origins in Shanghai’s Pudong district to its far-reaching global campaigns, PLA Unit 61398 has left an indelible mark on the world of cyberspace. As nations continue to grapple with the challenge of cyber espionage, the saga of APT1 serves as a reminder of the need for vigilance, cooperation, and innovation in the ongoing battle for digital security.

SHA1 (Operation Oceansalt)
0ae167204c841bdfd3600dddf2c9c185b17ac6d4
12a9faa96ba1be8a73e73be72ef1072096d964fb
1f70715e86a2fcc1437926ecfaeadc53ddce41c9
281a13ecb674de42f2e8fdaea5e6f46a5436c685
42192bb852d696d55da25b9178536de6365f0e68
583879cfaf735fa446be5bfcbcc9e580bf542c8c
832d5e6ebd9808279ee3e59ba4b5b0e884b859a5
Be4fbb5a4b32db20a914cad5701f5c7ba51571b7
D72bc671583801c3c65ac1a96bb75c6026e06a73
Dd3fb2750da3e8fc889cd1611117b02d49cf17f7
E5c6229825f11d5a5749d3f2fe7acbe074cba77c5
Fc121db04067cffbed04d7403c1d222d376fa7ba
Ec9a9d431fd69e23a5b770bf03fe0fb5a21c0c36
9fe4bfdd258ecedb676b9de4e23b86b1695c4e1e

IP Address (Operation Oceansalt)

27[.]102[.]112[.]179
158[.]69[.]131[.]78
211[.]104[.]160[.]196
172[.]81[.]132[.]62

MD5 (Auriga)

6B31344B40E2AF9C9EE3BA707558C14E
CDCD3A09EE99CFF9A58EFEA5CCBE2BED

MD5 (Bangat)

4C6BDDCCA2695D6202DF38708E14FC7E
8E8622C393D7E832D39E620EAD5D3B49
468FF2C12CFFC7E5B2FE0EE6BB3B239E
727A6800991EEAD454E53E8AF164A99C
BD8B082B7711BC980252F988BB0CA936
DB05DF0498B59B42A8E493CF3C10C578
E1B6940985A23E5639450F8391820655
EF8E0FB20E7228C7492CCDC59D87C690

MD5 (Biscuit)

5A728CB9CE56763DCCB32B5298D0F050
5D8129BE965FAB8115ECA34FC84BD7F0
7CB055AC3ACBF53E07E20B65EC9126A1
12F25CE81596AEB19E75CC7EF08F3A38
43B844C35E1A933E9214588BE81CE772
70A55FDC712C6E31E013E6B5D412B0D6
268EEF019BF65B2987E945AFAF29643F
15901DDBCCC5E9E0579FC5B42F754FE8
034374DB2D35CF9DA6558F54CEC8A455
DA383CC098A5EA8FBB87643611E4BFB6

MD5 (Bouncer)

6EBD05A02459D3B22A9D4A79B8626BF1
57353ECBAECE29ECAF8025231EB930E3
CF038194F0FE222F31EC24CB80941BB1
D2F1BE7E10ED39AA8BC0F7F671D824D2
F90DA15F862BB8452FC51D3F0DBB3373

MD5 (GreenCat)

0C5E9F564115BFCBEE66377A829DE55F
1F92FF8711716CA795FBD81C477E45F5
3E6ED3EE47BCE9946E2541332CB34C69
3E69945E5865CCC861F69B24BC1166B6
5AEAA53340A281074FCB539967438E3F
6D2320AF561B2315C1241E3EFD86067F
30E78D186B27D2023A2A7319BB679C3F
36C0D3F109AEDE4D76B05431F8A64F9E
55FB1409170C91740359D1D96364F17B
57E79F7DF13C0CB01910D0C688FCD296
120C2E085992FF59A21BA401EC29FEC9
390D1F2A620912104F53C034C8AEF14B
871CC547FEB9DBEC0285321068E392B8
7388D67561D0A7989202AD4D37EFF24F
A99E06E2F90DB4E506EF1347A8774DD5
A565682D8A13A5719977223E0D9C7AA4
AB208F0B517BA9850F1551C9555B5313
B3BC979D8DE3BE09728C5DE1A0297C4B
B5E9CE72771217680EFAEECFAFE3DA3F
B8F61242E28F2EDF6CB1BE8781438491
BA0C4D3DBF07D407211B5828405A9B91
C044715C2626AB515F6C85A21C47C7DD
E54CE5F0112C9FDFE86DB17E85A5E2C5
E83F60FB0E0396EA309FAF0AED64E53F
F4ED3B7A8A58453052DB4B5BE3707342
FAB6B0B33D59F393E142000F128A9652

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.