Independent researchers and experts from threat intelligence firm Recorded Future are confident that the cyber espionage group tracked as APT3 is directly linked to the Chinese Ministry of State Security (MSS).
While much of the security community typically tries to avoid making attribution statements, arguing that false flags make this task difficult, there are some individuals and companies that don’t shy away from accusing governments of conducting sophisticated cyberattacks.
A mysterious group called “intrusiontruth,” which claims to focus on investigating some of the most important advanced persistent threat (APT) actors, has recently published a series of blog posts on APT3, a group that is also known as UPS Team, Gothic Panda, Buckeye and TG-0110.
The cyberspies, believed to be sponsored by China, have been active since at least 2009, targeting many organizations in the United States and elsewhere via spear-phishing, zero-day exploits, and various other tools and techniques. Researchers noticed last year that APT3 had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.”
Intrusiontruth has conducted an analysis of APT3’s command and control (C&C) infrastructure, particularly domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.
Both these individuals are listed as shareholders for a China-based security firm called the Guangzhou Boyu Information Technology Company, or Boyusec. In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that this company had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.
Intrusiontruth concluded that either Boyusec has two shareholders with the same name as members of APT3, or Boyusec is in fact APT3, which is the more likely scenario.
Recorded Future has dug deeper to find more evidence connecting APT3 to China’s MSS. In a report published on Wednesday, the company said it had attributed the group directly to the MSS with “a high degree of confidence.”
Researchers pointed out that in addition to Huawei, which claimed to use Boyusec for security evaluations of its corporate intranet, Boyusec was also a partner of the Guangdong Information Technology Security Evaluation Center (Guangdong ITSEC), and the organizations have been collaborating on an active defense lab since 2014.
Guangdong ITSEC is apparently a subordinate of the China Information Technology Evaluation Center (CNITSEC), which, according to academic research, is run by the Ministry of State Security.
Experts believe many of the ministry’s subordinates, particularly ones at provincial and local levels, have legitimate public missions and act as a cover-up for intelligence operations.
“Companies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the resources and technology of the Chinese government. In this real-life David vs. Goliath situation, customers need both smart security controls and policy, as well as actionable and strategic threat intelligence,” Recorded Future said in its report.