← threatfilter.dev / all groups / APT1
APT1
Also known as: Comment Crew · Comment Group · Comment Panda
Overview
APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
Targets
Government · Private sector
Regions
Belgium · Canada · France · India · Israel · Japan · Luxembourg · Norway · Singapore · South Africa · Switzerland · Taiwan · United Arab Emirates · United Kingdom · United States
Capabilities
- Custom malware/implant development — ATT&CK: 6 attributed custom malware families
TTPs — 23 techniques across 8 tactics
Resource Development
-
T1583.001Domains -
T1584.001Domains -
T1585.002Email Accounts -
T1588.001Malware -
T1588.002Tool
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1059.003Windows Command Shell
Stealth
Credential Access
-
T1003.001LSASS Memory
Discovery
-
T1007System Service Discovery -
T1016System Network Configuration Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1087.001Local Account -
T1135Network Share Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1550.002Pass the Hash
Collection
-
T1005Data from Local System -
T1114.001Local Email Collection -
T1114.002Remote Email Collection -
T1119Automated Collection -
T1560.001Archive via Utility
Tools & malware (17)
Seasalt · ipconfig · BISCUIT · Cachedump · PsExec · GLOOXMAIL · Lslsass · PoisonIvy · WEBC2 · Mimikatz · gsecdump · Pass-The-Hash Toolkit · CALENDAR · Tasklist · Net · xCmd · pwdump
Reporting (1)
- CrowdStrike Intelligence Report: Putter Panda — Crowdstrike Global Intelligence Team