Scroll Top

APT 3 Boyusec: Unraveling the Intricate web of China’s cyber espionage

In the vast landscape of cyber threats and espionage, APT-3 or APT 3 or APT3, also known as Gothic Panda, Pirpi, Buckeye, and UPS Team, stands out as a China-based advanced persistent threat group with a history of sophisticated and targeted cyber espionage campaigns. Linked to China’s Ministry of State Security, APT 3 has been responsible for a series of high-profile operations, capturing the attention of researchers and security experts worldwide. From its origins and aliases to its modus operandi, tactics, tools, and motivations, this article delves into the intricate workings of APT 3 and its impact on global cybersecurity.

Origins and aliases
APT 3, short for Advanced Persistent Threat 3, made its first appearance on the cybersecurity radar in 2010. This China-based threat group operates under various aliases, including Gothic Panda, Pirpi, Buckeye, and UPS Team. The extent of its operations and the changing nature of its targets over time have kept cybersecurity professionals on their toes, attempting to decipher the group’s motives and methods.

High-profile campaigns
Throughout its existence, APT 3 has orchestrated several high-profile campaigns, each marked by its sophistication and precision. Notable among these are Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. These campaigns targeted a diverse range of sectors, including aerospace, defense, construction, engineering, high tech, telecommunications, and transportation.

Initially focused on targeting organizations within the United States, APT3 shifted its attention in 2015, particularly toward political organizations in Hong Kong. This shift raised questions about the group’s strategic objectives and its alignment with China’s larger political and economic interests.

Motivations and objectives
APT3’s motivations revolve around stealing critical information from both private organizations and government entities. This stolen data serves China’s broader political, economic, and military goals. The group’s interest in exfiltrating government documents and sensitive information enables China to gain a strategic advantage on the global stage. As China embarks on ambitious projects like the One Belt One Road initiative, APT 3’s targeting aligns with China’s regional opponents, illustrating the symbiotic relationship between cyber espionage and geopolitical interests.

Modus operandi
APT 3 is known for its ingenious use of browser-based exploits, including zero-days in popular software such as Adobe Flash Player, Firefox, and Internet Explorer. One example is the Operation Clandestine Wolf campaign, where the group exploited a now-patched vulnerability in Adobe Flash Player to infiltrate targeted networks. Once inside, APT 3 deploys custom backdoors, such as RemoteCMD, OSInfo, and ShotPut, to navigate through the compromised system and establish persistence.

The group also employs spear-phishing emails with compressed executable attachments, using these as entry points for its attacks. APT 3’s command and control (CnC) infrastructure is notoriously difficult to trace due to its non-repetitive use across campaigns, demonstrating the group’s sophistication in evading detection.

Toolset and Malware
APT 3’s toolkit is diverse and powerful, encompassing a range of malicious tools and techniques. The group has exploited various zero-day vulnerabilities, including the infamous Unicorn Bug (CVE-2014-6332) and the Windows SMB vulnerabilities (CVE-2019-0703, CVE-2017-0143) used in exploits like EternalSynergy and EternalRomance. Additionally, APT 3 has harnessed custom tools like OSInfo, ShotPut, and RemoteCMD to further its objectives.

Commercial and open-source tools have also found their place in APT 3’s arsenal. For instance, the group has utilized Schtasks and CookieCutter to schedule program executions and create project templates, respectively. Notably, APT 3’s use of the DoublePulsar, FuzzBunch, EternalBlue, and other tools connected to the Equation Group highlights its sophisticated approach.

Attribution and countermeasures
In 2016, the three individuals responsible for purchasing APT 3 domains for cyber-espionage campaigns were identified: Wu Yingzhuo, Dong Hao, and Xia Lei. Wu Yingzhuo and Dong were shareholders of the Chinese InfoSec company Boyusec, recognized as a contractor for China’s Ministry of State Security. The legal actions taken against them underscored the international effort to combat APT 3’s activities.

To defend against APT 3 and similar threats, organizations should deploy robust endpoint protection solutions with real-time threat intelligence. Rigorous patch management and vulnerability assessments are crucial to thwart attacks exploiting known vulnerabilities. Combating APTs like APT 3 requires a comprehensive approach, including network monitoring, spear-phishing awareness training, and the use of orchestration tools for real-time threat intelligence analysis.

Conclusion
The multifaceted threat posed by APT 3 highlights the complex interplay between cybersecurity, geopolitics, and espionage. From its origins in China to its sophisticated campaigns targeting various sectors and regions, APT 3 remains a formidable adversary on the digital battlefield. As cybersecurity professionals and governments worldwide continue their efforts to counter such threats, understanding the tactics, techniques, and procedures of groups like APT 3 becomes increasingly imperative for safeguarding sensitive information, critical infrastructure, and national security.

Indicators of compromise

SHA1

0311CEC923C57A435E735E106517797F
104ECBC2746702FA6ECD4562A867E7FB
12668F8D072E89CF04B9CBCD5A3492E1
19C539FF2C50A0EFD52BB5B93D03665A
221C6DB5B60049E3F1CDBB6212BE7F41
3514205D697005884B3564197A6E4A34
3C0D740347B0362331C882C2DEE96DBF
47E67D1C9382D62370A0D71FECC5368B
4C8FA3731EFD2C5097E903D50079A44D
4F43F03783F9789F804DCF9B9474FA6D
51545ABCF4F196095ED102B0D08DEA7E
52775F24E230C96EA5697BCA79C72C8E
567D379B87A54750914D2F0F6C3B6571
5778D8FF5156DE1F63361BD530E0404D
583F05B4F1724ED2EBFD06DD29064214
58DD6099F8DF7E5509CEE3CB279D74D5
59C3F3F99F44029DE81293B1E7C37ED2
64AA21201BFD88D521FE90D44C7B5DBA
65C024D60AF18FFAB051F97CCDDFAB7F
68970B2CD5430C812BEF5B87C1ADD6EA
6E0EBEEEA1CB00192B074B288A4F9CFE
7C3BF9AB05DD803AC218FC7084C75E96
83D8D40F435521C097D3F6F4D2358C67
86D1A184850859A6A4D1C35982F3C40E

MD5 Hashes

7020bcb347404654e17f6303848b7ec4
aacfef51a4a242f52fbb838c1d063d9b
c2f902f398783922a921df7d46590295
6458806a5071a7c4fefae084791e8c67
0d2d0d8f4989679f7c26b5531096b8b2
a3932533efc04ac3fe89fb5b3d60128a
58f784c7a292103251930360f9ca713e
a469d48e25e524cf0dec64f01c182b25
5a0c4e1925c76a959ab0588f683ab437
6b8611f8148a6b51e37fd68e75b6a81c
9342d18e7d315117f23db7553d59a9d1
492a839a3bf9c61b7065589a18c5aa8d
744a17a3bc6dbd535f568ef1e87d8b9a
2fab77a3ff40e4f6d9b5b7e813c618e4
F34d5f2d4577ed6d9ceec516c1f5a744
5c08957f05377004376e6a622406f9aa

SHA256 Hashes

951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7 1c9f1c7056864b5fdd491d5daa49f920c3388cb8a8e462b2bc34181cef6c1f9c 3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e 7bfad342ce88de19d090a4cb2ce332022650abd68f34e83fdc694f10a4090d65 6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc 01f53953db8ba580ee606043a482f790082460c8cdbd7ff151d84e03fdc87e42 53145f374299e673d82d108b133341dc7bee642530b560118e3cbcdb981ee92c cbe23daa9d2f8e1f5d59c8336dd5b7d7ba1d5cf3f0d45e66107668e80b073ac3

Domains

Inform.bedircati[.]com
Pn.lamb-site[.]com
Securitywap[.]com
Join.playboysplus[.]com
walterclean[.]com

Originating IP Address

210[.]109[.]99[.]64
192[.]184[.]60[.]229
192[.]184[.]60[.]229
104[.]151[.]248[.]173
104[.]151[.]248[.]173
104[.]151[.]248[.]173

File Name

Test.exe
doc.exe
Install.exe

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.