Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/18/2017
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT3 Threat Group a Contractor for Chinese Intelligence Agency

Recorded Future says its research shows clear link between cyber threat group and China's Ministry of State Security.

The APT3 hacker group that has been active since at least 2010 and is believed to have stolen intellectual property and confidential data from numerous Western government and military targets is actually a contractor for the Chinese Ministry of State Security (MSS).

Threat intelligence firm Recorded Future this week said that a recent review of publicly available information and analysis of other available data on the group shows with little doubt that APT3 is directly linked to the Chinese government. The group's mission apparently is to collect intelligence for the MSS, and it has been operating under the guise of the Guangzhou Boyu Information Technology Company, aka Boyusec, for the past several years, Recorded Future said in a blog.

"There has always been an air of mystery around MSS cyber operations because they are a civilian human intelligence organization and operate in a different manner than the former 3PLA," says Samantha Dionne, researcher with Recorded Future referring to the Chinese equivalent of the NSA.

What Recorded Future discovered was that in many cases, MSS conducts cyber intelligence operations in the same way it conducts human intelligence operations: by utilizing institutions with non-intelligence missions and "cover" companies.

"This point is very critical for the broader community, because MSS cyber operations will often be conducted under the cover of seemingly unrelated organizations without an obvious intelligence mission," Dionne says. "This means attribution will be more difficult and determining response to an intrusion event will be more complex."

Recorded Future's APT3 investigation was prompted by a blog earlier this month by an individual or group using the handle "intrusiontruth." The blog noted that intrusiontruth had been able to track the command and control infrastructure used by APT3 using domain registration data. Intrusiontruth, according to Recorded Future, was able to document historic connections between domains associated with a malware tool used by the APT3 group and by two shareholders of Boyusec.

Recorded Future, which has been tracking the APT3 group for several years, has been able to independently further corroborate the link between APT3 and MSS, according to the company.

Recorded Future's research for instance showed that one of Boyusec's partners - the Guangdong Information Technology Security Evaluation Center - is subordinate to an MSS-run organization called CNITSEC. Information that is publicly available shows that the MSS has used CNITSEC to conduct vulnerability tests and software assessments. The Chinese government is believed to have used some of the vulnerabilities discovered during such tests in cyber intelligence operations, Recorded Future noted.

Huawei Connection

Boyusec's work with Huawei, another of its partners, also has come under scrutiny. A Pentagon internal investigations report last year had noted the two companies were working together to develop security products with backdoors in them that could be used for spying or for taking over computers and networks, Recorded Future said.

"APT3 has been a long-term, persistent, and sophisticated cyber-threat group for at least seven years," Dionne says. During this time "they have acted with impunity and compromised corporate and government networks at will and with no consequences," she notes.

Companies and government departments that have been victimized by APT3 need to realize that the MSS supports larger Chinese political, economic, diplomatic, and military goals, Dionne says. "Our recommendation would be to re-examine any APT3- or suspected APT3 intrusions in order to re-evaluate the risk and loss associated with the intrusions."

Scott Henderson, principal analyst at FireEye, the company the first identified APT3, says Recorded Future's conclusions about the group's link to the Chinese government are accurate. In addition to those links, Boyusec also has a relationship with the Guangdong Provincial Information Security Assessment Center, another organization with a potential MSS connection, Henderson says.

"This development is consistent with the evolution of several other known APT groups that began as nationalist hackers and went legit, eventually becoming information security contractors working with government sponsors," he says. "We have anticipated that several of the Chinese organizations that we track were tied to the civilian intelligence apparatus rather than the military intelligence organizations," he says.

Henderson says that while the APT3 group was once one of the most active Chinese operators out there, it has become somewhat less active in recent years. From mostly targeting organizations in the West, the group appears to be focusing its operations on limited targets such as pro-democracy activists in Hong Kong.

Related Content:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...