analyst @ nohacky :~/threat-actors $
cat / threat-actors / apt1-comment-crew
analyst@nohacky:~/apt1-comment-crew.html
dormant profile
type Nation-State
threat_level Critical
status Dormant
origin China — PLA Unit 61398
last_updated 2026-03-26
CC
apt1-comment-crew

APT1 / Comment Crew

also known as: PLA Unit 61398 Comment Group Comment Panda Byzantine Candor Shanghai Group Brown Fox GIF89a TG-8223 G0006

The single most documented cyber espionage unit in history. Operating out of a 12-story building in Shanghai's Pudong district, APT1 systematically compromised 141 organizations across 20 industries over at least seven years, stealing hundreds of terabytes of intellectual property on behalf of the Chinese state — until Mandiant's landmark 2013 report forced them to go dark.

attributed origin China (Shanghai, Pudong)
suspected sponsor People's Liberation Army — 2nd Bureau, 3rd Department, GSD
first observed 2006
primary motivation Economic Espionage, Strategic IP Theft
primary targets Aerospace, Defense, Energy, Telecom, Manufacturing
confirmed victims 141+ organizations
mitre att&ck group G0006
target regions USA (primary), Canada, UK, Europe, Asia-Pacific
threat level Critical (Historical) / Dormant

Overview

APT1 — formally attributed to the 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, identified by its Military Unit Cover Designator as Unit 61398 — is the most extensively documented state-sponsored cyber espionage operation ever exposed. Operating from a purpose-built, fiber-optically wired 12-story facility at 208 Datong Road in Shanghai's Pudong New Area, the unit conducted what Mandiant described in its landmark February 2013 report as a multi-year, enterprise-scale espionage campaign against a broad cross-section of Western industry.

The group's popular designation, Comment Crew, derives directly from its signature tradecraft: its WEBC2-family backdoors retrieved commands embedded within HTML comment tags on attacker-controlled web pages — a technique that blended malicious traffic into the noise of ordinary web browsing. From at least 2006 through 2013, APT1 breached and maintained persistent access to at least 141 organizations across 20 major industries, exfiltrating hundreds of terabytes of intellectual property. Their longest documented single-victim intrusion lasted nearly five years; their largest single-victim exfiltration reached 6.5 terabytes in ten months.

Mandiant's 2013 report was a watershed event in the history of threat intelligence. It was the first time a private-sector firm publicly attributed a sustained espionage campaign to a specific foreign military unit, named individual operators, traced activity to a physical building, and released over 3,000 indicators of compromise. The report triggered a cascade of consequences: a 2014 Department of Justice indictment of five PLA officers — the first criminal charges ever filed against state actors for cyber-enabled economic espionage — and ultimately contributed to the 2015 Obama-Xi bilateral agreement in which both governments pledged not to conduct or knowingly support commercial cyber espionage.

Following public exposure, APT1's infrastructure was essentially abandoned overnight. The group has not been publicly attributed to significant activity since 2013, though in 2018 McAfee discovered that the Seasalt source code — a tool from APT1's arsenal — had been reused in a new campaign called Operation Oceansalt, suggesting someone with access to APT1's original code had continued operating, or that code-sharing had occurred between Chinese threat actors.

attribution note

Chinese government officials consistently denied any involvement in APT1's activities. The connection to PLA Unit 61398 is based on Mandiant's extensive forensic evidence — including IP address patterns, working hours correlated with Shanghai time, operator handles, and direct social media activity from attack infrastructure — and was later confirmed by the 2014 U.S. Department of Justice indictment.

Target Profile

APT1 did not target industries systematically or selectively. Mandiant described their approach as continuous and indiscriminate across a wide spectrum of economically and strategically valuable sectors, with a strong bias toward English-speaking organizations — 115 of 141 confirmed victims were U.S.-based, with Canada and the UK also heavily represented.

  • Aerospace and Defense: Among the highest-value targets. APT1 is believed to have accessed F-35 Joint Strike Fighter design data from Lockheed Martin and has been linked to sustained intrusions at Northrop Grumman. Stolen data from these sectors provided China with direct insight into advanced military technologies.
  • Energy and Utilities: Oil, gas, and power sector organizations were repeatedly targeted for pipeline infrastructure data, drilling technology, and operational process documentation.
  • Metals and Manufacturing: U.S. Steel, Allegheny Technologies, Alcoa, and similar industrial firms were targeted in campaigns later formalized in the 2014 DOJ indictment. Stolen data included product specifications, pricing strategies, and litigation-sensitive internal communications.
  • Nuclear Power: Westinghouse Electric was specifically named in the DOJ indictment, with APT1 exfiltrating design documents and technical parameters related to nuclear plant construction.
  • Telecommunications and IT: Infrastructure providers were targeted for network topology data, authentication credentials, and the potential to facilitate further intrusions into downstream customers.
  • Financial Services: Banks and investment firms were targeted primarily for strategic and M&A intelligence that could advantage Chinese state-owned enterprises in competitive negotiations.
  • Legal and Labor Organizations: The United Steelworkers Union was listed as a victim in the DOJ indictment, highlighting APT1's interest in labor strategy and litigation positioning as adjuncts to industrial espionage.
  • Solar and Green Energy: SolarWorld was a named victim. Chinese state-owned manufacturers directly competing with targeted Western solar firms were among the beneficiaries of stolen data.

Tactics, Techniques & Procedures

APT1 operated at industrial scale, running dozens of simultaneous intrusions with a structured, hierarchical team. Their TTPs followed a consistent lifecycle: spear-phishing for initial access, backdoor installation for persistence, credential theft for lateral movement, and prolonged low-and-slow exfiltration. Early in their operations, their OPSEC was notably poor — they used Chinese IP addresses, logged into social media from attack infrastructure, and left identifiable strings in their malware — which ultimately enabled Mandiant's attribution.

mitre id technique description
T1566.001 Spear-Phishing Attachment Primary initial access vector. Highly targeted emails with malicious attachments — typically documents disguised as legitimate business correspondence — deployed to specific employees at victim organizations.
T1566.002 Spear-Phishing Link Supplementary phishing technique using crafted links pointing to attacker-controlled infrastructure to deliver WEBC2 and related payloads.
T1071.001 Web Protocols (C2 via HTTP/HTTPS) WEBC2 backdoors retrieved commands from attacker-controlled web pages using HTTP/HTTPS, embedding instructions in HTML comment tags to blend C2 traffic with normal web activity.
T1547.001 Registry Run Keys / Startup Folder Established persistence via Windows Registry Run keys and startup folder entries, creating redundant persistence mechanisms that survived reboots and limited IT intervention.
T1053 Scheduled Task / Job Used scheduled tasks alongside Registry keys to ensure backdoor reinstatement if one persistence mechanism was discovered and removed.
T1078 Valid Accounts Harvested credentials using publicly available password cracking tools, then reused stolen credentials — including via pass-the-hash attacks — to access shared resources and move laterally without triggering repeated authentication alerts.
T1021 Remote Services Leveraged stolen credentials and backdoors to pivot between internal systems, mapping network topology and identifying high-value data repositories for staged exfiltration.
T1560 Archive Collected Data Identified, staged, and compressed target files using custom tooling before exfiltration. AURIGA partially automated transfer preparation. Exfiltration was often conducted in off-hours and in size-chunked transfers to avoid triggering DLP thresholds.
T1041 Exfiltration Over C2 Channel Primary exfiltration via WEBC2 HTTP/HTTPS channels. Secondary channels included DNS tunneling, SMTP, FTP, and cloud uploads, providing redundancy if primary channels were blocked.
T1036 Masquerading Malware components were frequently named or structured to resemble legitimate system processes or software, complicating detection by security tools and analysts doing manual review.
T1068 Exploitation for Privilege Escalation Used kernel-level exploits (including CVE-2013-1347) to escalate to SYSTEM-level privilege, enabling deep system integration and access to credential stores unavailable to standard user-level processes.
T1056.001 Keylogging Standard backdoors included keylogging capability to harvest credentials and capture sensitive communications, supplementing pass-the-hash techniques for credential acquisition.

Known Campaigns

APT1's operational tempo was continuous rather than campaign-based in the traditional sense — they maintained simultaneous intrusions across dozens of organizations at any given time. The following represent the most significant named or formally documented operations.

Operation Shady RAT 2006 – 2011

A multi-year espionage operation discovered by McAfee in 2011 after researchers gained access to a compromised command-and-control server. Logs on that server revealed simultaneous intrusions into over 70 organizations globally — spanning governments, defense contractors, international sports bodies, and technology firms. Mandiant's 2013 attribution work later tied the core infrastructure and tradecraft to PLA Unit 61398. Among the most notable suspected victims was Lockheed Martin, from which F-35 Joint Strike Fighter plans are believed to have been exfiltrated; China subsequently revealed the Shenyang FC-31, a stealth aircraft bearing a significant resemblance to the F-35.

DOJ Indictment Targets (Western PA) 2006 – 2014

The campaign formally charged in the May 2014 U.S. Department of Justice indictment of five PLA officers: Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui. Victims included Westinghouse Electric (nuclear plant design data), U.S. Steel and Allegheny Technologies (steel manufacturing processes), SolarWorld (proprietary solar technology and pricing strategy), Alcoa (internal communications related to a Chinese state-owned enterprise partnership), and the United Steelworkers Union (litigation strategy documents). The indictment represented the first criminal charges ever brought against identified state actors for cyber-enabled economic espionage.

Operation Oceansalt (Code Reuse) 2018

Not directly attributed to APT1, but significant as evidence that APT1's source code survived the group's apparent shutdown. McAfee discovered a new espionage campaign targeting South Korean public infrastructure, U.S. financial firms, and Canadian agricultural organizations that reused large portions of APT1's 2010 Seasalt implant code — including identical command handlers, response codes, and reverse-shell logic. Because the Seasalt source code was never publicly released, this overlap suggests either a code-sharing arrangement between Chinese threat actors, a false-flag operation, or a remnant operator with direct access to the original APT1 codebase.

Continuous Multi-Sector Intrusions 2006 – 2013

APT1's standard operating posture: simultaneous persistent access to dozens of organizations across 20 industries at any given time. Mandiant documented their working hours as consistent with a standard 9-to-5 Shanghai workday, supporting the military unit attribution. The group maintained redundant backdoors across victim networks, returned to previously compromised organizations after apparent periods of inactivity, and tailored exfiltration targets to current Chinese state priorities in energy, defense, and advanced manufacturing.

Tools & Malware

APT1 deployed a custom ecosystem of over 40 purpose-built malware tools, documented extensively in Mandiant's 2013 report appendix and later catalogued in MITRE ATT&CK. All tools were designed for Windows environments and built to blend C2 traffic with legitimate network activity.

  • WEBC2 (family): APT1's signature backdoor family, first observed in July 2006 and continuously developed through 2012. WEBC2 backdoors retrieved commands hidden in HTML comment tags or custom tags from attacker-controlled web pages, using HTTP or HTTPS. Over 20 named WEBC2 variants were documented, including WEBC2-ADSPACE, WEBC2-AUSOV, WEBC2-BOLID, WEBC2-CSON, WEBC2-DIV, WEBC2-HEAD, WEBC2-RAVE, WEBC2-TABLE, WEBC2-TOCK, and WEBC2-YAHOO. Each variant used a custom configuration structure and header encoding scheme.
  • BISCUIT: A feature-rich standard backdoor named after its internal command string "bdkzt." Supported an extensive command set including file management, process control, registry modification, screenshot capture, keylogging, mouse capture, interactive shell, remote desktop, password harvesting, user and system enumeration, and timed sleep/dormancy.
  • SEASALT: A network appliance-oriented implant linked to APT1's 2010 operations, communicating via HTTP. Later achieved notoriety when its source code was reused in the 2018 Operation Oceansalt campaign. Shares structural and functional code with the OceanSalt implant discovered by McAfee.
  • GLOOXMAIL: A stealth backdoor designed to communicate via Google Talk (XMPP protocol), allowing C2 traffic to masquerade as legitimate instant messaging activity and bypass network-level inspection tools configured to allow Google services.
  • AURIGA: An exfiltration optimization tool used to automate and streamline the staged transfer of collected data, including off-hours timing and size-chunked transfers designed to avoid triggering data loss prevention thresholds.
  • KURTON: A data harvesting tool used to identify, enumerate, and prepare high-value files for staging and subsequent exfiltration.
  • TABMSGSQL: A specialized database exfiltration tool targeting SQL-based data stores, enabling extraction of structured database content alongside file-based intellectual property.
  • BANGAT / MILKMAID / HELAUTO / POISON: Lateral movement tools used to pivot across internal networks after initial access, leveraging stolen credentials and exploiting shared resources to extend the intrusion footprint.
  • MAPIGET: An email harvesting tool targeting Microsoft Exchange environments, used to extract email content and contacts from compromised executive and technical personnel accounts.
  • GDOCUPLOAD / CALENDAR / COOKIEBAG: Later-generation tools incorporating cloud-based exfiltration channels (Google Docs, Google Calendar) and session token abuse, reflecting APT1's adaptation to changing network perimeters.

Indicators of Compromise

The following IOCs are drawn from Mandiant's 2013 public disclosure and subsequent DOJ filings. These are historical indicators from a dormant threat actor. Most associated infrastructure has been taken offline or repurposed.

warning

These IOCs date from 2006–2013. They are retained for historical reference and forensic research purposes only. Do not use for active blocking without cross-referencing against current threat intelligence feeds — IP ranges and domains have almost certainly been reassigned or repurposed.

historical indicators of compromise
ip range 61.147.67.0/24 (China Netcom — primary C2 range)
domain msupdaterx.com
domain servicevsp.com
domain updateservice.com
domain ns1.mydomainservice.com
c2 pattern WEBC2 custom HTTP headers — requests to suspicious domains with encoded configuration markers
yara sig WEBC2 header detection rules — available via Mandiant APT1 appendix and open-source YARA repositories
string Upfileer / Upfileok (present in both Seasalt and Oceansalt samples)

Mitigation & Defense

APT1 is assessed as dormant. However, understanding their methods remains highly relevant — their TTPs represent a template that has been replicated by successor Chinese APT groups including APT10, APT40, and Volt Typhoon. Defensive measures that would have countered APT1 remain effective against many current state-sponsored threats.

  • Spear-Phishing Prevention: APT1 relied heavily on spear-phishing for initial access. Deploy email security gateways with attachment sandboxing, enforce macro execution policies in Microsoft Office, and implement user awareness training that specifically covers targeted (non-generic) phishing lures — APT1 crafted convincing, contextually appropriate emails.
  • Endpoint Detection and Response: Standard AV was ineffective against APT1's custom malware. EDR platforms with behavioral detection capabilities can identify the anomalous process spawning, Registry Run key modifications, and large outbound transfers that characterize APT1-style intrusions even when specific malware signatures are unknown.
  • Credential Hygiene and Pass-the-Hash Mitigation: APT1 used pass-the-hash attacks extensively for lateral movement. Implement Protected Users security groups, enable Credential Guard on Windows 10/11 and Server 2016+, disable NTLM where feasible, and enforce least-privilege access models that limit the blast radius of any single compromised account.
  • Network Segmentation and Monitoring: APT1 pivoted freely across poorly segmented networks. Enforce strict east-west traffic controls, monitor for anomalous internal scanning and lateral movement, and deploy network detection and response (NDR) tools capable of identifying WEBC2-style C2 patterns — consistent requests to suspicious external domains with unusual HTTP header structures.
  • Egress Filtering and DLP: APT1 exfiltrated hundreds of terabytes. Implement DLP policies at network egress points, monitor for large outbound transfers — particularly compressed archives — and restrict outbound connections to approved cloud services and domains. APT1 later adopted Google-service-based exfiltration specifically to evade basic egress controls.
  • Privileged Account Management: APT1 escalated to SYSTEM privilege using kernel exploits. Maintain a rigorous patch management schedule — particularly for Windows kernel vulnerabilities — and implement privileged access workstations (PAWs) for administrative tasks to reduce exposure of highly privileged credentials.
  • Threat Intelligence Integration: APT1's infrastructure exhibited distinctive patterns documented in public threat intelligence. Subscribe to reputable CTI feeds, cross-reference with MITRE ATT&CK Group G0006 mappings, and use Snort/Suricata rules (available for WEBC2 patterns) to detect residual or copycat activity.
analyst note

While APT1 has been dormant since 2013, the PLA's offensive cyber capabilities did not disappear — they reorganized. Following the Obama-Xi agreement and internal PLA restructuring under Xi Jinping's anti-corruption campaign, primary responsibility for commercial and strategic cyber espionage shifted to the Ministry of State Security (MSS). Groups such as APT10, APT40, and Salt Typhoon represent the current operational manifestation of Chinese state-sponsored cyber activity. Defenses built for APT1-era threats must be continuously updated to address the evolved TTPs of these successor groups.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile