Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/18/2017
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT3 Threat Group a Contractor for Chinese Intelligence Agency

Recorded Future says its research shows clear link between cyber threat group and China's Ministry of State Security.

The APT3 hacker group that has been active since at least 2010 and is believed to have stolen intellectual property and confidential data from numerous Western government and military targets is actually a contractor for the Chinese Ministry of State Security (MSS).

Threat intelligence firm Recorded Future this week said that a recent review of publicly available information and analysis of other available data on the group shows with little doubt that APT3 is directly linked to the Chinese government. The group's mission apparently is to collect intelligence for the MSS, and it has been operating under the guise of the Guangzhou Boyu Information Technology Company, aka Boyusec, for the past several years, Recorded Future said in a blog.

"There has always been an air of mystery around MSS cyber operations because they are a civilian human intelligence organization and operate in a different manner than the former 3PLA," says Samantha Dionne, researcher with Recorded Future referring to the Chinese equivalent of the NSA.

What Recorded Future discovered was that in many cases, MSS conducts cyber intelligence operations in the same way it conducts human intelligence operations: by utilizing institutions with non-intelligence missions and "cover" companies.

"This point is very critical for the broader community, because MSS cyber operations will often be conducted under the cover of seemingly unrelated organizations without an obvious intelligence mission," Dionne says. "This means attribution will be more difficult and determining response to an intrusion event will be more complex."

Recorded Future's APT3 investigation was prompted by a blog earlier this month by an individual or group using the handle "intrusiontruth." The blog noted that intrusiontruth had been able to track the command and control infrastructure used by APT3 using domain registration data. Intrusiontruth, according to Recorded Future, was able to document historic connections between domains associated with a malware tool used by the APT3 group and by two shareholders of Boyusec.

Recorded Future, which has been tracking the APT3 group for several years, has been able to independently further corroborate the link between APT3 and MSS, according to the company.

Recorded Future's research for instance showed that one of Boyusec's partners - the Guangdong Information Technology Security Evaluation Center - is subordinate to an MSS-run organization called CNITSEC. Information that is publicly available shows that the MSS has used CNITSEC to conduct vulnerability tests and software assessments. The Chinese government is believed to have used some of the vulnerabilities discovered during such tests in cyber intelligence operations, Recorded Future noted.

Huawei Connection

Boyusec's work with Huawei, another of its partners, also has come under scrutiny. A Pentagon internal investigations report last year had noted the two companies were working together to develop security products with backdoors in them that could be used for spying or for taking over computers and networks, Recorded Future said.

"APT3 has been a long-term, persistent, and sophisticated cyber-threat group for at least seven years," Dionne says. During this time "they have acted with impunity and compromised corporate and government networks at will and with no consequences," she notes.

Companies and government departments that have been victimized by APT3 need to realize that the MSS supports larger Chinese political, economic, diplomatic, and military goals, Dionne says. "Our recommendation would be to re-examine any APT3- or suspected APT3 intrusions in order to re-evaluate the risk and loss associated with the intrusions."

Scott Henderson, principal analyst at FireEye, the company the first identified APT3, says Recorded Future's conclusions about the group's link to the Chinese government are accurate. In addition to those links, Boyusec also has a relationship with the Guangdong Provincial Information Security Assessment Center, another organization with a potential MSS connection, Henderson says.

"This development is consistent with the evolution of several other known APT groups that began as nationalist hackers and went legit, eventually becoming information security contractors working with government sponsors," he says. "We have anticipated that several of the Chinese organizations that we track were tied to the civilian intelligence apparatus rather than the military intelligence organizations," he says.

Henderson says that while the APT3 group was once one of the most active Chinese operators out there, it has become somewhat less active in recent years. From mostly targeting organizations in the West, the group appears to be focusing its operations on limited targets such as pro-democracy activists in Hong Kong.

Related Content:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...