Introduction
The APT3 cyber threat group is one of the earliest groups of today’s Advanced Persistent Threat Groups and was instrumental in shaping the tactics, techniques, and operational model of many China-aligned cyber threat groups. For more than a decade APT3 has continued to evolve as an organization, albeit with varied levels of activity over time. In addition to providing a baseline to evaluate the relationship between state intelligence needs and private sector capabilities, APT3 serves as an example of what to expect from similar groups in the future. There are many other terms used to refer to APT3, including, but not limited to, BRONZE MAYFAIR, GOTHIC PANDA, BORON, Boyusec, Brocade Typhoon, Buckeye, TG-0110 and UPS. These multiple terms are the result of different cybersecurity vendors and intelligence agencies conducting research on common activity clusters of APT3.
Identity and Attribution
APT3 (Aptitude Threat Infiltration Group 3), formerly known as Boyusec, is considered to be a part of the Chinese Cyber Espionage Program (CCEP), which has been established since around 2010-11 by China’s State Council and Ministry of State Security, and they have an ongoing association. The relationship between APT3 and Boyusec has provided a unique view on how they collaborate for cyber operations with private companies, plus the fact that APT3 is the only known APT group to have been established in partnership with a commercial cybersecurity organisation (Boyusec.) Both public and corporate intelligence demonstrate that APT3 supports several long-term APT3 objectives.
Strategic Motivation
The main purpose for APT3 has always been to obtain sensitive information through cyber espionage, as opposed to generating revenue through online services. APT3 focuses primarily on obtaining Defensive Technology, Advanced Manufacturing and Critical Infrastructure information, giving them sustained access to high-value networks. The majority of APT3 targeted companies provided or facilitated innovation and policy development; as a result, through these companies, APT3 is able to collect valuable economic and strategic information.
Tactics, Techniques, and Procedures (TTPs)
APT3 use sophisticated tactics that advanced for their time, used more innovative than other actors did at that time.
Initial Access
APT3 had a variety of methods used for gaining access, using social engineering techniques through email and exploiting weaknesses in public-facing servers. They were able to weaponize new vulnerabilities very quickly after they were disclosed (in some cases, before a vendor had released patches to a weakness).
In several of their campaigns, they took advantage of watering hole attacks. They compromised the website of an organization with which they were associated and then used those sites to distribute malware selectively to their targets.
Exploitation and Execution
APT3 is known for developing and using custom exploit frameworks. The exploit framework was developed and maintained by APT3 and provided them with the capability to perform exploits against different versions of commonly used enterprise software. Using these exploitation frameworks, a user could execute payloads, escalate privileges, bypass security controls, and operate reliably.
APT3’s malware loader was a modular malware loader that allowed an operator to execute specific payloads based on the targeted victim environment and based on the intelligence requirements.
Persistence and Lateral Movement
After gaining access into a network, APT3 leveraged alternative methods of gaining repetitive access through the creation of scheduled tasks, install of services, and modification of registry entries. APT3 was adept at exploiting the inner workings of Windows and had a strong knowledge of enterprise networking environments and how they operate; thus allowing them to easily move from one workstation/system within a network to another.
Stealing credentials, utilizing pass-the-hash techniques, and using administrative tools to escalate privileges, were widely used. All of these methods allowed an APT3 operator to gain wider access with minimal effort through less visible and detectable means.
Command and Control
APT3 made extensive use of flexible C2 structures that combined standard web traffic and malicious web traffic through the use of the common HTTP/HTTPS protocols. Domains were created to look like legitimate domains, and the entire infrastructure was continuously changing in order to minimize the chance of detection or identification.
Early in their operations, APT3 conducted numerous early trials using proxy networks and chain-of-multi-hop C2 communication, all of which increased the complexity of defensive operations.
Malware and Tooling
APT3 has a record of multiple types of well-known malware and tool sets that have had an impact on the subsequent China-linked attacks. These tools included custom built backdoors, exploit kits and utilities for stealing user credentials.
One thing that APT3 toolsets has been noted for was their ‘industrial strength’ design – they were built for use in larger enterprise environments (‘multiple environments’). This meant APT3 focused on larger, complex entities (such as defence contractors and industrial companies).
The sophistication of APT3’s tool environment placed APT3 among the most capable APT actors of its day, particularly during its peak years 2012 to 2016.
Target Profile
APT3’s target set is extensive yet consistent with their broader strategy.
Primary Targets
- U.S. and Euro defense contractors, U.S. and Euro military researchers
- Firms that develop and manufacture aerospace components and advanced manufacturing equipment
- Telecoms and tech firms that manufacture infrastructure
- Government and policy agencies
Geographic Focus
APT3 operated on multiple continents, including: U.S., Eur, and E. Asia
The group’s targeting patterns indicate a significant focus on gathering technology and intelligence with long-term benefits.
Notable Operations
APT3’s historical cyber espionage campaigns have been quite extensive and covered:
- 2012–2014: Consisting of the initial campaigns that focused on defense contractors in the U.S. and Europe and included custom exploit toolkits and backdoors.
- 2015–2016: Which represented the peak of their activity with rapid exploitation of enterprise vulnerabilities leading to significant IP theft.
- 2017: Where public disclosure and indictments caused a disruption in their activity and showed a downward trend thereafter.
- Post-2018: Reduced visibility but suspected continued low-level or restructured activity within broader China-nexus ecosystems.
These operations underscore APT3’s historical importance rather than current volume.
Evolution and Current Status
Over time, the operational model adopted by APT3 has changed, mostly due to public attribution and subsequent legal action. Most importantly, fewer analysts attribute APT3’s current operations to previous operations, which may suggest that APT3 personnel, tools, or methodologies were incorporated into other groups within the overall China cyber threat environment.
The legacy of APT3 continues today, particularly within newer cyber espionage actors, with APT3’s methods seen as influencing exploit development and enterprise-level intrusive operations developing.
Threat Assessment
Today, APT3 has been identified as a historically high-threat, yet still relatively low-risk operator. As a low-risk threat actor, many of APT3’s earlier campaigns are now no longer being actively operated, but rather, many organizations will have some level of historical exposure to APT3’s intrusion activity and therefore may continue to have some level of risk resulting from previously compromised systems or stolen intellectual property.
APT3’s activities illustrate that initial investments made to develop further exploit technologies, as well as the discipline used to maintain the integrity of the exploit, can yield long-term operational advantages for an operator.
Defensive Takeaways
When defending against threats like APT3, defenders can incorporate several pieces of information from APT3’s defensive strategies:
- The quickest way to avoid intrusion is through hastily made patches to enterprise systems, including software, applications, and services
- Identifying abuse of legitimate processes and practices is critical
- Often when an operator has been able to maintain an extended period of inactivity, the operator has used stealth as the weapon of choice rather than overt exploitation.
Understanding how APT3 operated is important for protection against the current threats from actors aligned with Chinese interests in espionage.
Conclusion
Cyber espionage history has APT3 as a unique entity. Several new standards created through APT3’s work serve as a blueprint for state/private sector partnership and many of the ideas currently utilized by Advanced Threat Actors today were developed by APT3.
Currently, APT3 does not exist in the capacity that it once did. However, many companies and agencies are developing their techniques based on APT3’s extensive work, which continues to impact the nature of modern cyber threateners. Cybersecurity defenders can learn about today’s high-end constant threats through examining APT3’s contributions to developing the techniques constituting today’s high-end constant threats.
You can download and review the sheet for all the details!
