Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/18/2017
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT3 Threat Group a Contractor for Chinese Intelligence Agency

Recorded Future says its research shows clear link between cyber threat group and China's Ministry of State Security.

The APT3 hacker group that has been active since at least 2010 and is believed to have stolen intellectual property and confidential data from numerous Western government and military targets is actually a contractor for the Chinese Ministry of State Security (MSS).

Threat intelligence firm Recorded Future this week said that a recent review of publicly available information and analysis of other available data on the group shows with little doubt that APT3 is directly linked to the Chinese government. The group's mission apparently is to collect intelligence for the MSS, and it has been operating under the guise of the Guangzhou Boyu Information Technology Company, aka Boyusec, for the past several years, Recorded Future said in a blog.

"There has always been an air of mystery around MSS cyber operations because they are a civilian human intelligence organization and operate in a different manner than the former 3PLA," says Samantha Dionne, researcher with Recorded Future referring to the Chinese equivalent of the NSA.

What Recorded Future discovered was that in many cases, MSS conducts cyber intelligence operations in the same way it conducts human intelligence operations: by utilizing institutions with non-intelligence missions and "cover" companies.

"This point is very critical for the broader community, because MSS cyber operations will often be conducted under the cover of seemingly unrelated organizations without an obvious intelligence mission," Dionne says. "This means attribution will be more difficult and determining response to an intrusion event will be more complex."

Recorded Future's APT3 investigation was prompted by a blog earlier this month by an individual or group using the handle "intrusiontruth." The blog noted that intrusiontruth had been able to track the command and control infrastructure used by APT3 using domain registration data. Intrusiontruth, according to Recorded Future, was able to document historic connections between domains associated with a malware tool used by the APT3 group and by two shareholders of Boyusec.

Recorded Future, which has been tracking the APT3 group for several years, has been able to independently further corroborate the link between APT3 and MSS, according to the company.

Recorded Future's research for instance showed that one of Boyusec's partners - the Guangdong Information Technology Security Evaluation Center - is subordinate to an MSS-run organization called CNITSEC. Information that is publicly available shows that the MSS has used CNITSEC to conduct vulnerability tests and software assessments. The Chinese government is believed to have used some of the vulnerabilities discovered during such tests in cyber intelligence operations, Recorded Future noted.

Huawei Connection

Boyusec's work with Huawei, another of its partners, also has come under scrutiny. A Pentagon internal investigations report last year had noted the two companies were working together to develop security products with backdoors in them that could be used for spying or for taking over computers and networks, Recorded Future said.

"APT3 has been a long-term, persistent, and sophisticated cyber-threat group for at least seven years," Dionne says. During this time "they have acted with impunity and compromised corporate and government networks at will and with no consequences," she notes.

Companies and government departments that have been victimized by APT3 need to realize that the MSS supports larger Chinese political, economic, diplomatic, and military goals, Dionne says. "Our recommendation would be to re-examine any APT3- or suspected APT3 intrusions in order to re-evaluate the risk and loss associated with the intrusions."

Scott Henderson, principal analyst at FireEye, the company the first identified APT3, says Recorded Future's conclusions about the group's link to the Chinese government are accurate. In addition to those links, Boyusec also has a relationship with the Guangdong Provincial Information Security Assessment Center, another organization with a potential MSS connection, Henderson says.

"This development is consistent with the evolution of several other known APT groups that began as nationalist hackers and went legit, eventually becoming information security contractors working with government sponsors," he says. "We have anticipated that several of the Chinese organizations that we track were tied to the civilian intelligence apparatus rather than the military intelligence organizations," he says.

Henderson says that while the APT3 group was once one of the most active Chinese operators out there, it has become somewhat less active in recent years. From mostly targeting organizations in the West, the group appears to be focusing its operations on limited targets such as pro-democracy activists in Hong Kong.

Related Content:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.