Background
APT1, publicly designated as the Comment Crew or Comment Panda, is a Chinese cyber espionage group attributed to the People's Liberation Army (PLA) Unit 61398, also known as the 2nd Bureau of the PLA General Staff Department's 3rd Department. The unit is headquartered in the Pudong district of Shanghai and has operated since at least 2006. In February 2013, Mandiant published a landmark report exposing APT1's infrastructure, operations, and attribution in unprecedented detail, triggering global awareness of Chinese state-sponsored cyber espionage at scale.
APT1's primary mandate was systematic, long-term theft of intellectual property from hundreds of organizations across 20 industries to benefit Chinese state enterprises and the broader economy. The group operated with an industrial efficiency that distinguished it from most other threat actors—running multiple concurrent intrusions, maintaining persistent access to victim networks for months or years, and exfiltrating vast quantities of proprietary business data, engineering specifications, negotiation strategies, and technical documentation.
Unit 61398 employed hundreds of personnel and maintained significant dedicated infrastructure, including purpose-built command-and-control servers, a private fiber-optic communications network, and linguistic personnel proficient in English. Following Mandiant's 2013 exposure and the May 2014 DOJ indictment of five PLA officers, APT1 largely ceased publicly attributable operations. However, many assessed former members continue operating under reorganized PLA Strategic Support Force (PLASSF) structures.
Notable Campaigns
Operation Comment Crew (2006-2013) — APT1's sustained campaign targeted 141 organizations across 20 industries over a seven-year period. The group established persistent access averaging 356 days per victim, with the longest single compromise lasting nearly five years. Stolen data included technical blueprints, manufacturing processes, clinical trial data, pricing documents, and negotiating positions—directly benefiting Chinese state-owned enterprises competing against Western firms.
Coca-Cola Merger Acquisition (2009) — APT1 compromised Coca-Cola during negotiations to acquire the Huiyuan Juice company. Stolen data included merger strategy documents and executive correspondence. The Chinese government ultimately blocked the acquisition, and some analysts have speculated that the stolen intelligence may have informed the blocking decision.
RSA SecurID Breach Supporting Attack (2011) — APT1 exploited stolen SecurID authentication data, obtained via a separate intrusion at RSA Security, to penetrate multiple U.S. defense contractors. This attack chain demonstrated the group's sophistication in leveraging trusted third-party access to breach high-value targets.
Telvent Canada (2012) — APT1 compromised Telvent Canada, a company that manages industrial control systems for oil and gas pipelines across North America. The intrusion raised serious critical infrastructure concerns, as the stolen data included project files for operational technology systems managing active pipelines.
Media and Legal Sector Targeting (2012-2013) — APT1 extensively targeted U.S. law firms and media organizations covering China or involved in Chinese business transactions, seeking information on trade negotiations, client strategies, and confidential source intelligence.
Tactics, Techniques & Procedures
Initial Access — APT1 relied primarily on spearphishing emails (T1566.001, T1566.002) with malicious attachments or links, frequently tailored to the recipient's professional context. Emails often impersonated trusted business contacts and were crafted to appear legitimate. The group registered domains closely resembling target organizations to host credential-harvesting pages.
Execution and Persistence — After initial compromise, APT1 deployed a sequence of custom backdoors including WEBC2 (communicating via fake web page comments), BISCUIT (a full-featured RAT), and GlooxMail (an XMPP/Jabber-protocol backdoor). Persistence was achieved through scheduled tasks, registry run keys, and custom services. The group maintained multiple independent backdoor channels to ensure persistence if one was detected.
Collection and Exfiltration — APT1 conducted methodical data staging (T1074.001) within victim networks, compressing and encrypting files before exfiltration (T1041). The group exfiltrated via HTTP/HTTPS (T1071.001) to C2 servers. Remote desktop protocol was used for interactive access during active collection sessions. Internal network reconnaissance (T1082, T1083) informed targeted collection of the most strategically valuable materials.
Operational Security — The group operated primarily during Chinese business hours and holidays, consistent with PLA work schedules. Infrastructure was geographically distributed to complicate attribution and leverage compromised intermediary hosts as relay points.
Tools & Malware
- WEBC2 — A backdoor that communicates by embedding commands within the comment tags of legitimate web pages, enabling C2 traffic to blend with normal web browsing activity.
- BISCUIT — A full-featured remote access trojan providing file management, command execution, registry manipulation, screenshot capture, and network reconnaissance.
- GlooxMail — A backdoor using the XMPP (Jabber) instant messaging protocol for C2, allowing traffic to masquerade as legitimate IM communications.
- MANITSME — A tool for maintaining persistence and executing commands, delivered as a secondary payload after initial WEBC2 compromise.
- STARSYPOUND — A backdoor discovered by Mandiant capable of receiving commands and executing them, communicating via HTTP.
- MaCroMaIL — A backdoor using macro-enabled documents for initial payload delivery, with C2 over web protocols.
- Seasalt — An older RAT used in earlier APT1 operations, providing basic remote access functionality.
Indicators & Detection
Network-Based Detection — Historical APT1 C2 communication was characterized by HTTP requests to web pages that contained commands embedded in HTML comments. Monitor for HTTP traffic to newly registered or low-reputation domains containing unusual HTML structures in responses. APT1 frequently used IP addresses in the 58.x.x.x range associated with Chinese hosting providers. WEBC2 indicators include HTTP GET requests with unusual timing patterns and responses containing HTML comment tags with encoded content.
Endpoint Detection — Look for Windows scheduled tasks or services created with randomized names or names mimicking system processes. Monitor for unusual outbound connections initiated by svchost.exe or other system processes. Detect BISCUIT by monitoring for processes that inject into Windows system processes and establish outbound network connections.
Historical Indicators — APT1 infrastructure has been extensively documented. Block known malicious domains and IP ranges published in the 2013 Mandiant report and subsequent MITRE ATT&CK entries. While the group has been largely dormant since 2013, their techniques have influenced subsequent Chinese APT groups operating under reorganized PLASSF structures.
Defensive Priorities — Organizations in defense, aerospace, energy, and legal sectors with commercial interests in China should treat their intellectual property as high-priority targets for persistent threats. Implement strict egress filtering, application-layer inspection of outbound HTTP/HTTPS traffic, and deploy deception technology to detect lateral movement.