top of page
Mitre
Alias
Brown Fox, Apt 1, Byzantine Hades, Operation �siesta�, Shanghai Group, Gif89a, Shadyrat, Operation �oceansalt�, Tg-8223, Comment Group, Operation �seasalt�, Group 3, Brownfox, Comment Panda, Apt1, Pla Unit 61398, Byzantine Candor, Comment Crew, G0006
Country
China
Sponsor
Commonly Known By Its Military Unit Cover Designator (mucd) As Unit 61398, 2nd Bureau Of The People�s Liberation Army (pla) General Staff Department�s (gsd) 3rd Department, China. State-sponsored, State-sponsored
Motivation
Information Theft And Espionage
First Seen
2006
Description
Also known as APT1, Comment Crew is an advanced persistent threat (APT) group with links to the Chinese military. The threat actors, which were active from roughly 2006 to 2010, managed to strike over 140 US companies in the quest for sensitive corporate and intellectual property data.
The group earned their name through their use of HTML comments to hide communication to the command-and-control servers. The usual attack vector was via spear-phishing campaigns utilizing emails which contained documents with names tailored for the potential victims, such as �ArmyPlansConferenceOnNewGCVSolicitation.pdf,� or �Chinese Oil Executive Learning From Experience.doc.�
This group may also be responsible for the {{Siesta}} campaign.
Targeted
Industries
Construction, Mining, Financial, Media, Telecommunications, Government, Research, It, Chemical, Education, Satellites, Engineering, Transportation, Private Sector, Food And Agriculture, Non-profit Organizations, Defense, Navigation And Lawyers, Manufacturing, Entertainment, Aerospace, Energy, High-tech, Healthcare
Targeted
Countries
Canada, France, Vietnam, Norway, Luxembourg, United Kingdom, Switzerland, Taiwan, Israel, Uae, Usa, Uk, United States, Japan, India, Belgium, United Arab Emirates, South Africa, Singapore, South Korea
Tools
Seasalt
Poison Ivy
Greencat
Poison
Starsypound
Mimikatz
Longrun
Tabmsgsql
Dairy
Gdocupload
Webc2
Pass-the-hash
Helauto
Living
Lslsass
Kurton
Newsreels
Bouncer
Sword
Pwdump
Cookiebag
Lightdart
Shadyrat
Tarsip
Gsecdump
Combos
Bangat
Hackfase
Cachedump
Glooxmail
Auriga
Living Off The Land
Pass-the-hash Toolkit
Warp
Lightbolt
Oceansalt
Procdump
Goggles
Calendar
Glasses
Biscuit
Manitsme
Miniasp
Mapiget
Getmail
TTP
T1003
T1087.001
T1583
T1550.002
T1585
T1036
T1003.001
T1585.002
T1057
T1584
T1135
T1560
T1021
T1583.001
T1016
T1584.001
T1114.001
T1588
T1566.001
T1059.003
T1114.002
T1588.001
T1087
T1059
T1005
T1114
T1007
T1049
T1588.002
T1550
T1566.002
T1566
T1560.001
T1021.001
T1119
T1036.005
Operations
Performed
[2006/2010] operation �seasalt� (target: 140 Us Companies In The Quest For Sensitive Corporate And Intellectual Property Data. (method: Spear-phishing With Malicious Documents.)
[2011-03] breach Of Rsa (they Breached Security Systems Designed To Keep Out Intruders By Creating Duplicates To �securid� Electronic Keys From Emc Corp�s Emc.n Rsa Security Division, Said The Person Who Was Not Authorized To Publicly Discuss The Matter. (https://www.reuters.com/article/us-usa-defense-hackers/exclusive-hackers-breached-u-s-defense-contractors-idustre74q6vy20110527 (https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/)
[2011/2012] hackers Plundered Israeli Defense Firms That Built �iron Dome� Missile Defense System (https://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/)
[2014-02] operation �siesta� (fireeye Recently Looked Deeper Into The Activity Discussed In Trendmicro�s Blog And Dubbed The �siesta� Campaign. The Tools, Modus Operandi, And Infrastructure Used In The Campaign Present Two Possibilities: Either The Chinese Cyberespionage Unit Apt 1 Is Perpetrating This Activity, Or Another Group Is Using The Same Tactics And Tools As The Legacy Apt 1. (https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/ (https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html)
[2018-05] operation �oceansalt� (target: Oceansalt Appears To Have Been Part Of An Operation Targeting South Korea, United States, And Canada In A Well-focused Attack. A Variation Of This Malware Has Been Distributed From Two Compromised Sites In South Korea. (method: Oceansalt Appears To Be The First Stage Of An Advanced Persistent Threat. The Malware Can Send System Data To A Control Server And Execute Commands On Infected Machines, But We Do Not Yet Know Its Ultimate Purpose. (note: It Is Possible That This Operation Was Not Performed By The Actual Comment Crew Group (as They Are Supposedly In Jail). (https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/ (https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
Counter
Operations
'date': '2014-05', 'activity': '5 In China Army Face U.s. Charges Of Cyberattacks (https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html'
Information
bottom of page