Advanced Persistent Threats

APT 1. Comment Crew / Shanghai Group

Global Institute for National Capability

Global Institute for National Capability

2 min read
APT 1. Comment Crew / Shanghai Group
💡
Advanced Persistent Threats (APTs) are updated regularly. Check our Cybersecurity Guide and National Cybersecurity Strategies. Contribute and share feedback with contribute@ginc.org

APT 1: A Look at One of China’s Most Notorious Cyber Espionage Groups

APT 1, also known as the Comment Crew or Shanghai Group, is a Chinese cyber espionage group that gained international attention for its role in a widespread and sustained campaign of cyberattacks. The group is believed to be affiliated with Unit 61398 of the People’s Liberation Army (PLA) and is primarily known for targeting industries in the United States and other Western countries.

Key Activities and Targets

APT 1 is primarily associated with cyber espionage, particularly the theft of intellectual property, trade secrets, and other sensitive information. The group’s activities have focused on sectors such as:

  • Aerospace
  • Telecommunications
  • Energy
  • Manufacturing
  • Defense contractors

The group has been linked to advanced and persistent attacks against organizations, often gaining access to networks and maintaining a presence for extended periods, sometimes years, to gather intelligence and steal valuable data.

Exposing APT 1

In 2013, cybersecurity firm Mandiant (now a part of FireEye) published a comprehensive report detailing APT 1’s operations. The report provided evidence linking the group to Unit 61398 of the PLA, based in Shanghai. The Mandiant report identified over 141 companies across 20 industries that had been targeted by APT 1, revealing the group's vast scope and capabilities.

According to the report, APT 1’s tactics involved the use of phishing emails to gain initial access, followed by the deployment of custom malware and backdoors to establish long-term control over targeted systems. The group then exfiltrated sensitive information, often in significant volumes, over long periods.

Connection to China’s State Interests

APT 1’s operations appear to align with China’s broader strategic goals of advancing its technological and military capabilities. The information stolen by APT 1 has allegedly contributed to China’s economic growth by providing Chinese companies with access to foreign intellectual property, reducing the time and cost of research and development.

While the Chinese government has consistently denied involvement in cyber espionage activities, the evidence presented by Mandiant and other cybersecurity firms suggests a strong link between APT 1’s activities and China’s state interests.

Global Impact

APT 1’s activities have had far-reaching implications for cybersecurity and international relations. The exposure of the group in 2013 marked one of the first high-profile cases of publicly attributing a cyber espionage campaign to a specific state actor, raising awareness about the scale and persistence of state-sponsored cyberattacks.

The case of APT 1 also underscored the vulnerability of critical industries to cyber espionage, prompting companies and governments to invest more heavily in cyber defense and intelligence-sharing mechanisms to combat similar threats.

Conclusion

APT 1 remains one of the most significant examples of state-sponsored cyber espionage in recent history. The group’s ability to infiltrate, persist, and exfiltrate sensitive data highlights the evolving nature of cyber threats and the challenges that organizations face in protecting their intellectual property from nation-state actors. As cybersecurity continues to evolve, APT 1 serves as a reminder of the ongoing risks posed by advanced persistent threats globally.

Read more