Researchers found a link between the APT3 Threat Group and the Chinese Intelligence Agency

Security experts at threat intelligence firm Record Future have found a clear link between APT3 cyber threat group and China’s Ministry of State Security.

The curtain has been pulled back a little on the Chinese Intelligence Agency intelligence gathering structure — and it includes private security contractors and the network vendor supply chain.

In 2010, security vendor FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 which has also been described as TG-0100, Buckeye, Gothic Panda, and UPS and described them as “one of the most sophisticated threat groups” being tracked at the time.

Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong — and everyone has been trying to figure out who they are. APT3 functions very differently than 3LA, the former Chinese military hacking organization leading to the assumption that APT3 is not part of the military complex. At least not officially.

On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.

“On May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of State Security (MSS) as the group behind the APT3 cyber intrusions.” states the analysis published by Recorder Future.

The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers. This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).

Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.

“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”

To protect our networks, it is important to assess the threats. An important part of threat assessment is to anticipate the motivation of the attackers. APT3 has demonstrated above average skills and has been active for a long time. Add ties to the network vendor supply chain and you have the makings of a dangerous adversary. As part of the Chinese MSS structure you can start to guess at motivation. With this new information, it is a good time to reassess your threat model.

“The implications are clear and expansive. Recorded Future’s research leads us to attribute APT3 to the Chinese Ministry of State Security and Boyusec with a high degree of confidence. Boyusec has a Boyusec has a documented history of producing malicious technology and working with the Chinese intelligence services.” concludes the analysis.

About the author: Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.

[adrotate banner=”9″]

[adrotate banner=”12″]

Edited by Pierluigi Paganini

(Security Affairs – APT3, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.