Threat Actor Profile
APT3 (Gothic Panda, UPS Team, Pirate Panda, Buckeye)
APT3, also known as Gothic Panda, UPS Team, Pirate Panda, and Buckeye, is a Chinese state-sponsored cyber-espionage group active since at least 2007. Believed to operate under the Ministry of State Security (MSS) in Guangdong, APT3 is infamous for targeting critical sectors like aerospace, defense, telecommunications, and engineering. They employ advanced tactics, including custom malware and zero-day exploits, to conduct extensive intelligence gathering.
Threat Actor Profile
APT3 (Gothic Panda, UPS Team, Pirate Panda, Buckeye)
Country of Origin
APT3 is strongly linked to China, specifically a provincial bureau of the Ministry of State Security (MSS) in Guangdong. Their association reinforces this attribution with Boyusec, a Chinese contractor sanctioned by the U.S. in 2017.
Members
The exact membership size of APT3 remains unknown, but their operations suggest a well-coordinated group with advanced technical capabilities. The group is believed to consist of MSS officers and contracted individuals who have since transitioned to other Chinese cyber units, such as APT10 and APT17.
Leadership
There are no publicly identified individual leaders of APT3. However, the group’s operations and techniques have been tied to Boyusec, a front company for the MSS that facilitated their cyber-espionage activities.
APT3 TTPs
Tactics
APT3 primarily focuses on cyber-espionage, with goals including stealing intellectual property, defense technology blueprints, and sensitive telecommunications data. Their targeted approach reflects their alignment with China's strategic objectives.
Techniques
APT3 gained initial access using methods such as spear phishing and watering-hole attacks. They are adept at exploiting zero-day vulnerabilities, including those in Adobe Flash, Microsoft Office, and Internet Explorer. Their lateral movement often involves credential theft and leveraging Windows administrative tools.
Procedures
Key APT3 procedures include:
Custom malware deployment, such as SHOTPUT (persistent backdoor), PIRPI (memory-based RAT), and COOKIECUTTER.
Utilizing web shells like China Chopper.
Exploiting tools and techniques linked to the NSA’s Equation Group arsenal prior to public leaks.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Shadow Brokers and Tool Exploitation (2016–2017)
APT3 notably used exploits from the NSA’s Equation Group, including DoublePulsar and EternalRomance, before they were publicly disclosed by Shadow Brokers. This raised questions about how the group obtained such advanced tools.
Zero-Day Exploits (2014–2016)
APT3 executed multiple high-profile attacks using Adobe Flash and Internet Explorer zero-days, compromising numerous organizations in the defense and telecom sectors.
Law Enforcement & Arrests
Following the exposure of Boyusec in 2017, U.S. sanctions effectively dismantled the organization, leading to a reduction in APT3 public activity. The group’s infrastructure and personnel have since been linked to other MSS-affiliated entities.
How to Defend Against APT3
Patch Management: Regularly update legacy systems, especially those using Flash, IE, or Office.
EDR and Threat Hunting: Invest in endpoint detection for anomalies like LSASS access and web shell activity.
Network Segmentation: Prevent lateral movement by isolating critical systems.
Multi-Factor Authentication (MFA): Secure against credential theft.
Huntress tools, such as advanced threat detection and response platforms, can help identify and neutralize malware and other IOCs linked to APT3.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
