Threat Group Cards: A Threat Actor Encyclopedia

APT group: APT 3, Gothic Panda, Buckeye

Names	APT 3 (Mandiant) Gothic Panda (CrowdStrike) Buckeye (Symantec) TG-0110 (SecureWorks) Bronze Mayfair (SecureWorks) UPS Team (Symantec) Group 6 (Talos) Red Sylvan (PWC)
Country	China
Sponsor	State-sponsored, Ministry of State Security and Internet security firm Guangzhou Bo Yu Information Technology Company Limited (“Boyusec”)
Motivation	Information theft and espionage
First seen	2007
Description	(Recorded Future) APT3 (also known as UPS, Gothic Panda, and TG-0110) is a sophisticated threat group that has been active since at least 2010. APT3 utilizes a broad range of tools and techniques including spear-phishing attacks, zero-day exploits, and numerous unique and publicly available remote access tools (RAT). Victims of APT3 intrusions include companies in the defense, telecommunications, transportation, and advanced technology sectors — as well as government departments and bureaus in Hong Kong, the U.S., and several other countries.
Observed	Sectors: Aerospace, Construction, Defense, High-Tech, Manufacturing, Technology, Telecommunications, Transportation. Countries: Belgium, Hong Kong, Italy, Luxembourg, Philippines, Sweden, UK, USA, Vietnam.
Tools used	APT3 Keylogger, Bemstour, DoublePulsar, EternalBlue, HTran, Hupigon, LaZagne, OSInfo, Pirpi, PlugX, RemoteCMD, shareip, TTCalc, w32times and several 0-days for IE, Firefox and Flash.
Operations performed	2007	Hupigon and Pirpi Backdoors <https://www.fireeye.com/blog/threat-research/2010/11/ie-0-day-hupigon-joins-the-party.html>
	Apr 2014	Operation “Clandestine Fox” FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue. <https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html>
	Jun 2014	Operation “Clandestine Fox”, Part Deux While Microsoft quickly released a patch to help close the door on future compromises, we have now observed the threat actors behind “Operation Clandestine Fox” shifting their point of attack and using a new vector to target their victims: social networking. <https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html>
	Nov 2014	Operation “Double Tap” This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113. <https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html>
	Jun 2015	Operation “Clandestine Wolf” In the last several weeks, APT3 actors launched a large-scale phishing campaign against organizations in the following industries: Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications and Transportation. <https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html>
	Mar 2016	Variant of the DoublePulsar Backdoor Beginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor that was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar. <https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit> <https://research.checkpoint.com/upsynergy/>
	Mar 2016	Buckeye cyberespionage group shifts gaze from US to Hong Kong <https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong>
Counter operations	Nov 2017	DOJ reveals indictment against Chinese cyber spies that stole U.S. business secrets <https://www.cyberscoop.com/boyusec-china-doj-indictment/>
	Nov 2017	U.S. Charges Three Chinese Hackers Who Work at Internet Security Firm for Hacking Three Corporations for Commercial Advantage <https://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations>
Information	<https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/> <https://www.recordedfuture.com/chinese-mss-behind-apt3/>
MITRE ATT&CK	<https://attack.mitre.org/groups/G0022/>

Last change to this card: 12 September 2022

Download this actor card in PDF or JSON format