Security Experts:

Connect with us

Hi, what are you looking for?



APT3 Hackers Linked to Chinese Ministry of State Security

Independent researchers and experts from threat intelligence firm Recorded Future are confident that the cyber espionage group tracked as APT3 is directly linked to the Chinese Ministry of State Security (MSS).

Independent researchers and experts from threat intelligence firm Recorded Future are confident that the cyber espionage group tracked as APT3 is directly linked to the Chinese Ministry of State Security (MSS).

While much of the security community typically tries to avoid making attribution statements, arguing that false flags make this task difficult, there are some individuals and companies that don’t shy away from accusing governments of conducting sophisticated cyberattacks.

A mysterious group called “intrusiontruth,” which claims to focus on investigating some of the most important advanced persistent threat (APT) actors, has recently published a series of blog posts on APT3, a group that is also known as UPS Team, Gothic Panda, Buckeye and TG-0110.

The cyberspies, believed to be sponsored by China, have been active since at least 2009, targeting many organizations in the United States and elsewhere via spear-phishing, zero-day exploits, and various other tools and techniques. Researchers noticed last year that APT3 had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.”

Intrusiontruth has conducted an analysis of APT3’s command and control (C&C) infrastructure, particularly domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.

Both these individuals are listed as shareholders for a China-based security firm called the Guangzhou Boyu Information Technology Company, or Boyusec. In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that this company had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.

Intrusiontruth concluded that either Boyusec has two shareholders with the same name as members of APT3, or Boyusec is in fact APT3, which is the more likely scenario.

Recorded Future has dug deeper to find more evidence connecting APT3 to China’s MSS. In a report published on Wednesday, the company said it had attributed the group directly to the MSS with “a high degree of confidence.”

Researchers pointed out that in addition to Huawei, which claimed to use Boyusec for security evaluations of its corporate intranet, Boyusec was also a partner of the Guangdong Information Technology Security Evaluation Center (Guangdong ITSEC), and the organizations have been collaborating on an active defense lab since 2014.

Guangdong ITSEC is apparently a subordinate of the China Information Technology Evaluation Center (CNITSEC), which, according to academic research, is run by the Ministry of State Security.

Experts believe many of the ministry’s subordinates, particularly ones at provincial and local levels, have legitimate public missions and act as a cover-up for intelligence operations.

“Companies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the resources and technology of the Chinese government. In this real-life David vs. Goliath situation, customers need both smart security controls and policy, as well as actionable and strategic threat intelligence,” Recorded Future said in its report.

Related: Flash Player Flaw Used by APT3 Group Added to Magnitude Exploit Kit

Related: China-Linked Group Uses New Malware in Japan Attacks

Related: Serious Breach Linked to Chinese APTs Comes to Light

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.