Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

China’s APT1 Changing Tactics, Rebuilding: Mandiant

It appears the Chinese cyber-espionage crew behind attacks on as many as 100 businesses is cutting back on some of its attacks and looking for alternative tools, Mandiant said.

It appears the Chinese cyber-espionage crew behind attacks on as many as 100 businesses is cutting back on some of its attacks and looking for alternative tools, Mandiant said.

Back in February, Mandiant released a 74-page report with loads of information on the group, dubbed APT1, including its attack methods, operational methodology, and organizations it had previously infiltrated. The report accused APT1 of retrieving hundreds of terabytes of stolen data. Even if APT1 wasn’t an official entity within the Chinese government, the report made a strong case that the government was at least aware of its operations.

APT1 Hacking

Since the publication of the report, the group may have had to change some of its methods, Mandiant said in a follow-up report this week. The original report included more than 3,000 APT1 indicators used by APT1, including domain names, 832 IP addresses, 13 digital certificates used to encrypt data, and MD5 hashes of over malware. Recent analysis indicates they are still active, but they are changing their methods.

“APT1 is still active using a well-coordinated and well-defined attack methodology against a wide set of industries — with a discernible post-report shift towards new tools and infrastructure,” wrote Dan Mcwhorter, Mandiant’s managing director for threat intelligence.

The report was the first time a private sector company had laid out evidence to link the China to cyber-espionage campaigns against businesses and government entities around the world.

APT1 relied on social engineering methods, remote access tools, and more than 40 malware families to carry out their operations, the original report said. The report’s goal was to make it harder to the group to carry out their attacks and slow them down, since organizations now knew what to look for in their logs and network traffic. It appears to have had some effect, as the information “hindered APT1’s operations,” Mcwhorter wrote.

“APT1 has stopped using the vast majority of the infrastructure that was disclosed with the release of the indicators,” Mcwhorter wrote.

The group has not been knocked out yet, as it probably still has access to an extensive infrastructure of computers around the world. While there was speculation that Mandiant’s publication of APT1 indicators would have resulted in the group dismantling itself, the follow-up reports indicates that is not the case.

Mandiant noted that APT1 is only one of more than 20 Advanced Persistent Threat groups operating out of China that the company is aware of. Mandiant’s report disrupted only APT1, not the others.

“Mandiant has observed no significant changes in their operations,” the follow-up report said. 

Related Reading: Lessons from Mandiant’s APT1

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.