APT3 Linked to Chinese Ministry of State Security

Researchers claim that APT3, widely believed to be a China-based threat actor, is directly connected to the Chinese Ministry of State Security (MSS).

Researchers claim that APT3, widely believed to be a China-based threat actor, is directly connected to the Chinese Ministry of State Security (MSS). The allegations come from Recorded Future which released a report Wednesday that claims it has found conclusive ties that link APT3 with MSS, China’s equivalent of the National Security Agency.

“Our conclusion is, that for the first time, we have been able to link with high confidence a threat actor with the Chinese MSS,” said Samantha Dionne, researcher with Recorded Future. “In the past the assumption was APT3 was related to the MSS. But, there has never been enough information to make the connection. Now we can make that determination.”

APT3, also known as UPS, Gothic Panda, and TG-011, is a threat group that has been active since at least 2010, according to Recorded Future. APT3 has used its exploits to target critical industries such as aerospace and defense, construction and engineering, as well as government departments and bureaus in Hong Kong and the United States, Recorded Future said.

Last year, APT3 was believed to be behind an attack against two Hong Kong government agencies, according to a report by FireEye. In 2015, security experts said it was APT3 that used a Flash zero day as part of the so-called Clandestine Fox operation. In May 2014, Microsoft was forced to release an out-of-band patch for Internet Explorer to counter attacks against a zero day used by APT3.

“Using historic DNS registration coupled with publicly available Chinese company records, we are able to demonstrate a solid link between tradecraft used by APT3 and government contractor Guangzhou Boyu Information Technology Company (also known as Boyusec),” Dionne said.

In its report, Recorded Future revealed that a key Boyusec business partner called Guangdong ITSEC is actually a field office for a branch of the MSS.

“Boyusec and Guangdong ITSEC have been documented working collaboratively together since at least 2014,” the report states. “According to its website, Boyusec has only two collaborative partners, one of which is working with to support Chinese intelligence services, the other, Guangdong ITSEC, which is actually a field site for a branch of the MSS.”

Threatpost attempted to contact China-based Bo Yu Guangzhou Information Technology and did not get responses in time for publication.

Making bold attribution statements, such as ATP3’s ties to MSS, is unusual within the security community. Researchers that have looked at APT3 and other threat actors have avoided making such claims arguing false flags make attribution too difficult.

Recorded Future research comes on the heels of a report by Intrusiontruth, released last week, that also alleges MSS and Boyusec are linked. In an analysis of APT3 and Boyusec, Intrusiontruth said it found common links between the two when analyzing APT3’s command and control infrastructure.

Intrusiontruth said it “identified two individuals responsible for purchasing their domain names – Wu Yingzhuo and Dong Hao. An IP addresses in Guangdong, China was associated with some of the domains. Both individuals have a long history of purchasing APT3 infrastructure… Wu Yingzhuo and Dong Hao are both shareholders in the same company (Boyusec).”

Ties between MSS and Boyusec were also suggested last year in a report by The Washington Free Beacon that quote unnamed Pentagon intelligence officials as saying that Boyusec was covertly working with Beijing’s Ministry of State Security intelligence service in conducting cyber espionage operations.

Earlier this year a report by Cybereason singled out a number of Chinese firms as examples of a private company carrying out attacks on the behalf of MSS.

Typically APT attacks have been the work of internal government spy apparatuses, but outsourcing allows nation states to shift risk, dodge attribution claims and take advantage of more sophisticated APT tools available on the black market, according to Cybereason.

Recorded Future said companies or government departments that believe they have been compromised by APT3 should reexamine those intrusions. “They need to realize the information that was lost was used to support a larger Chinese political, economic or military goals,” Dionne said.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.