Connect with us

Hi, what are you looking for?


Incident Response

China’s APT1 Changing Tactics, Rebuilding: Mandiant

It appears the Chinese cyber-espionage crew behind attacks on as many as 100 businesses is cutting back on some of its attacks and looking for alternative tools, Mandiant said.

It appears the Chinese cyber-espionage crew behind attacks on as many as 100 businesses is cutting back on some of its attacks and looking for alternative tools, Mandiant said.

Back in February, Mandiant released a 74-page report with loads of information on the group, dubbed APT1, including its attack methods, operational methodology, and organizations it had previously infiltrated. The report accused APT1 of retrieving hundreds of terabytes of stolen data. Even if APT1 wasn’t an official entity within the Chinese government, the report made a strong case that the government was at least aware of its operations.

APT1 Hacking

Since the publication of the report, the group may have had to change some of its methods, Mandiant said in a follow-up report this week. The original report included more than 3,000 APT1 indicators used by APT1, including domain names, 832 IP addresses, 13 digital certificates used to encrypt data, and MD5 hashes of over malware. Recent analysis indicates they are still active, but they are changing their methods.

“APT1 is still active using a well-coordinated and well-defined attack methodology against a wide set of industries — with a discernible post-report shift towards new tools and infrastructure,” wrote Dan Mcwhorter, Mandiant’s managing director for threat intelligence.

The report was the first time a private sector company had laid out evidence to link the China to cyber-espionage campaigns against businesses and government entities around the world.

APT1 relied on social engineering methods, remote access tools, and more than 40 malware families to carry out their operations, the original report said. The report’s goal was to make it harder to the group to carry out their attacks and slow them down, since organizations now knew what to look for in their logs and network traffic. It appears to have had some effect, as the information “hindered APT1’s operations,” Mcwhorter wrote.

“APT1 has stopped using the vast majority of the infrastructure that was disclosed with the release of the indicators,” Mcwhorter wrote.

The group has not been knocked out yet, as it probably still has access to an extensive infrastructure of computers around the world. While there was speculation that Mandiant’s publication of APT1 indicators would have resulted in the group dismantling itself, the follow-up reports indicates that is not the case.

Advertisement. Scroll to continue reading.

Mandiant noted that APT1 is only one of more than 20 Advanced Persistent Threat groups operating out of China that the company is aware of. Mandiant’s report disrupted only APT1, not the others.

“Mandiant has observed no significant changes in their operations,” the follow-up report said. 

Related Reading: Lessons from Mandiant’s APT1

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.