Attacks/Breaches
5/18/2017
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT3 Threat Group a Contractor for Chinese Intelligence Agency

Recorded Future says its research shows clear link between cyber threat group and China's Ministry of State Security.

The APT3 hacker group that has been active since at least 2010 and is believed to have stolen intellectual property and confidential data from numerous Western government and military targets is actually a contractor for the Chinese Ministry of State Security (MSS).

Threat intelligence firm Recorded Future this week said that a recent review of publicly available information and analysis of other available data on the group shows with little doubt that APT3 is directly linked to the Chinese government. The group's mission apparently is to collect intelligence for the MSS, and it has been operating under the guise of the Guangzhou Boyu Information Technology Company, aka Boyusec, for the past several years, Recorded Future said in a blog.

"There has always been an air of mystery around MSS cyber operations because they are a civilian human intelligence organization and operate in a different manner than the former 3PLA," says Samantha Dionne, researcher with Recorded Future referring to the Chinese equivalent of the NSA.

What Recorded Future discovered was that in many cases, MSS conducts cyber intelligence operations in the same way it conducts human intelligence operations: by utilizing institutions with non-intelligence missions and "cover" companies.

"This point is very critical for the broader community, because MSS cyber operations will often be conducted under the cover of seemingly unrelated organizations without an obvious intelligence mission," Dionne says. "This means attribution will be more difficult and determining response to an intrusion event will be more complex."

Recorded Future's APT3 investigation was prompted by a blog earlier this month by an individual or group using the handle "intrusiontruth." The blog noted that intrusiontruth had been able to track the command and control infrastructure used by APT3 using domain registration data. Intrusiontruth, according to Recorded Future, was able to document historic connections between domains associated with a malware tool used by the APT3 group and by two shareholders of Boyusec.

Recorded Future, which has been tracking the APT3 group for several years, has been able to independently further corroborate the link between APT3 and MSS, according to the company.

Recorded Future's research for instance showed that one of Boyusec's partners - the Guangdong Information Technology Security Evaluation Center - is subordinate to an MSS-run organization called CNITSEC. Information that is publicly available shows that the MSS has used CNITSEC to conduct vulnerability tests and software assessments. The Chinese government is believed to have used some of the vulnerabilities discovered during such tests in cyber intelligence operations, Recorded Future noted.

Huawei Connection

Boyusec's work with Huawei, another of its partners, also has come under scrutiny. A Pentagon internal investigations report last year had noted the two companies were working together to develop security products with backdoors in them that could be used for spying or for taking over computers and networks, Recorded Future said.

"APT3 has been a long-term, persistent, and sophisticated cyber-threat group for at least seven years," Dionne says. During this time "they have acted with impunity and compromised corporate and government networks at will and with no consequences," she notes.

Companies and government departments that have been victimized by APT3 need to realize that the MSS supports larger Chinese political, economic, diplomatic, and military goals, Dionne says. "Our recommendation would be to re-examine any APT3- or suspected APT3 intrusions in order to re-evaluate the risk and loss associated with the intrusions."

Scott Henderson, principal analyst at FireEye, the company the first identified APT3, says Recorded Future's conclusions about the group's link to the Chinese government are accurate. In addition to those links, Boyusec also has a relationship with the Guangdong Provincial Information Security Assessment Center, another organization with a potential MSS connection, Henderson says.

"This development is consistent with the evolution of several other known APT groups that began as nationalist hackers and went legit, eventually becoming information security contractors working with government sponsors," he says. "We have anticipated that several of the Chinese organizations that we track were tied to the civilian intelligence apparatus rather than the military intelligence organizations," he says.

Henderson says that while the APT3 group was once one of the most active Chinese operators out there, it has become somewhat less active in recent years. From mostly targeting organizations in the West, the group appears to be focusing its operations on limited targets such as pro-democracy activists in Hong Kong.

Related Content:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.