APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. 
Associated Group Descriptions
|PRE-ATT&CK||T1330||Acquire and/or use 3rd party software services||APT1 used third party email services in the registration of whois records.|
|PRE-ATT&CK||T1334||Compromise 3rd party infrastructure to support delivery||APT1 comrpomised a vast set of 3rd party victim hop points as part of their network infrastructure.|
|PRE-ATT&CK||T1334||Compromise 3rd party infrastructure to support delivery||APT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be “hijacked” since they were originally registered for a legitimate reason but were used by APT1 for malicious purposes.|
|PRE-ATT&CK||T1326||Domain registration hijacking||APT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be “hijacked” since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes.|
|PRE-ATT&CK||T1333||Dynamic DNS||APT1 used dynamic DNS to register hundreds of FQDNs.|
|PRE-ATT&CK||T1346||Obtain/re-use payloads||APT1 used publicly available privilege escalation tools.|
|Enterprise||T1087||Account Discovery||APT1 used the commands |
|Enterprise||T1119||Automated Collection||APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.|
|Enterprise||T1059||Command-Line Interface||APT1 has used the Windows command shell to execute commands.|
|Enterprise||T1003||Credential Dumping||APT1 has been known to use credential dumping.|
|Enterprise||T1002||Data Compressed||APT1 has used RAR to compress files before moving them outside of the victim network.|
|Enterprise||T1005||Data from Local System||APT1 has collected files from a local victim.|
|Enterprise||T1114||Email Collection||APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange servers that has not yet been archived.|
|Enterprise||T1036||Masquerading||The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.|
|Enterprise||T1135||Network Share Discovery||APT1 listed connected network shares.|
|Enterprise||T1075||Pass the Hash||The APT1 group is known to have used pass the hash.|
|Enterprise||T1057||Process Discovery||APT1 gathered a list of running processes on the system using |
|Enterprise||T1076||Remote Desktop Protocol||The APT1 group is known to have used RDP during operations.|
|Enterprise||T1064||Scripting||APT1 has used batch scripting to automate execution of commands.|
|Enterprise||T1016||System Network Configuration Discovery||APT1 used the |
|Enterprise||T1049||System Network Connections Discovery||APT1 used the |
|Enterprise||T1007||System Service Discovery||APT1 used the commands |
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- FireEye Labs. (2014, May 20). The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity. Retrieved November 4, 2014.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.