Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/18/2017
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT3 Threat Group a Contractor for Chinese Intelligence Agency

Recorded Future says its research shows clear link between cyber threat group and China's Ministry of State Security.

The APT3 hacker group that has been active since at least 2010 and is believed to have stolen intellectual property and confidential data from numerous Western government and military targets is actually a contractor for the Chinese Ministry of State Security (MSS).

Threat intelligence firm Recorded Future this week said that a recent review of publicly available information and analysis of other available data on the group shows with little doubt that APT3 is directly linked to the Chinese government. The group's mission apparently is to collect intelligence for the MSS, and it has been operating under the guise of the Guangzhou Boyu Information Technology Company, aka Boyusec, for the past several years, Recorded Future said in a blog.

"There has always been an air of mystery around MSS cyber operations because they are a civilian human intelligence organization and operate in a different manner than the former 3PLA," says Samantha Dionne, researcher with Recorded Future referring to the Chinese equivalent of the NSA.

What Recorded Future discovered was that in many cases, MSS conducts cyber intelligence operations in the same way it conducts human intelligence operations: by utilizing institutions with non-intelligence missions and "cover" companies.

"This point is very critical for the broader community, because MSS cyber operations will often be conducted under the cover of seemingly unrelated organizations without an obvious intelligence mission," Dionne says. "This means attribution will be more difficult and determining response to an intrusion event will be more complex."

Recorded Future's APT3 investigation was prompted by a blog earlier this month by an individual or group using the handle "intrusiontruth." The blog noted that intrusiontruth had been able to track the command and control infrastructure used by APT3 using domain registration data. Intrusiontruth, according to Recorded Future, was able to document historic connections between domains associated with a malware tool used by the APT3 group and by two shareholders of Boyusec.

Recorded Future, which has been tracking the APT3 group for several years, has been able to independently further corroborate the link between APT3 and MSS, according to the company.

Recorded Future's research for instance showed that one of Boyusec's partners - the Guangdong Information Technology Security Evaluation Center - is subordinate to an MSS-run organization called CNITSEC. Information that is publicly available shows that the MSS has used CNITSEC to conduct vulnerability tests and software assessments. The Chinese government is believed to have used some of the vulnerabilities discovered during such tests in cyber intelligence operations, Recorded Future noted.

Huawei Connection

Boyusec's work with Huawei, another of its partners, also has come under scrutiny. A Pentagon internal investigations report last year had noted the two companies were working together to develop security products with backdoors in them that could be used for spying or for taking over computers and networks, Recorded Future said.

"APT3 has been a long-term, persistent, and sophisticated cyber-threat group for at least seven years," Dionne says. During this time "they have acted with impunity and compromised corporate and government networks at will and with no consequences," she notes.

Companies and government departments that have been victimized by APT3 need to realize that the MSS supports larger Chinese political, economic, diplomatic, and military goals, Dionne says. "Our recommendation would be to re-examine any APT3- or suspected APT3 intrusions in order to re-evaluate the risk and loss associated with the intrusions."

Scott Henderson, principal analyst at FireEye, the company the first identified APT3, says Recorded Future's conclusions about the group's link to the Chinese government are accurate. In addition to those links, Boyusec also has a relationship with the Guangdong Provincial Information Security Assessment Center, another organization with a potential MSS connection, Henderson says.

"This development is consistent with the evolution of several other known APT groups that began as nationalist hackers and went legit, eventually becoming information security contractors working with government sponsors," he says. "We have anticipated that several of the Chinese organizations that we track were tied to the civilian intelligence apparatus rather than the military intelligence organizations," he says.

Henderson says that while the APT3 group was once one of the most active Chinese operators out there, it has become somewhat less active in recent years. From mostly targeting organizations in the West, the group appears to be focusing its operations on limited targets such as pro-democracy activists in Hong Kong.

Related Content:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.