SYMBOLCOMMON_NAMEaka. SYNONYMS

Comment Crew  (Back to overview)

aka: Comment Panda, PLA Unit 61398, APT 1, APT1, Advanced Persistent Threat 1, Byzantine Candor, Group 3, TG-8223, Comment Group, Brown Fox, GIF89a, ShadyRAT, Shanghai Group

PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks


Associated Families
win.auriga win.bangat win.biscuit win.bouncer win.combos win.cookiebag win.dairy win.getmail win.glooxmail win.goggles win.hacksfase win.helauto win.kurton win.manitsme win.mapiget win.miniasp win.newsreels win.seasalt win.starsypound win.sword win.tabmsgsql win.tarsip win.webc2_adspace win.webc2_ausov win.webc2_bolid win.webc2_cson win.webc2_div win.webc2_greencat win.webc2_head win.webc2_kt3 win.webc2_qbp win.webc2_rave win.webc2_table win.webc2_ugx win.webc2_yahoo

References
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:pla:33f5d12, author = {Cyber Operations Tracker}, title = {{PLA Unit 61398}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/pla-unit-61398}, language = {English}, urldate = {2019-12-20} } PLA Unit 61398
Comment Crew
2019MITREMITRE ATT&CK
@online{attck:2019:apt1:9f69f1f, author = {MITRE ATT&CK}, title = {{Group description: APT1}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0006/}, language = {English}, urldate = {2019-12-20} } Group description: APT1
Comment Crew
2018-10-18McAfeeRyan Sherstobitoff, Asheer Malhotra
@techreport{sherstobitoff:20181018:operation:f7a178c, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group}}, date = {2018-10-18}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf}, language = {English}, urldate = {2020-01-07} } ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group
Oceansalt Comment Crew
2018-10-17Raj Samani, Ryan Sherstobitoff
@online{samani:20181017:operation:0b1d8ce, author = {Raj Samani and Ryan Sherstobitoff}, title = {{‘Operation Oceansalt’ Delivers Wave After Wave}}, date = {2018-10-17}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/}, language = {English}, urldate = {2019-10-17} } ‘Operation Oceansalt’ Delivers Wave After Wave
Comment Crew
2018MandiantMandiant
@techreport{mandiant:2018:apt1:b76cc4d, author = {Mandiant}, title = {{APT1}}, date = {2018}, institution = {Mandiant}, url = {https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf}, language = {English}, urldate = {2020-01-13} } APT1
Auriga Biscuit Bouncer Combos CookieBag Dairy GetMail GlooxMail Goggles Hacksfase Helauto Kurton ManItsMe MAPIget MiniASP NewsReels SeaSalt StarsyPound Sword TabMsgSQL Tarsip WebC2-AdSpace WebC2-Ausov WebC2-Bolid WebC2-Cson WebC2-DIV WebC2-GreenCat WebC2-Head WebC2-Kt3 WebC2-Qbp WebC2-Rave WebC2-Table WebC2-UGX WebC2-Yahoo
2018FireEyeFireEye
@techreport{fireeye:2018:forrester:ae307d3, author = {FireEye}, title = {{The Forrester New Wave™: External Threat Intelligence Services, Q3 2018.}}, date = {2018}, institution = {FireEye}, url = {http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf}, language = {English}, urldate = {2020-01-08} } The Forrester New Wave™: External Threat Intelligence Services, Q3 2018.
Comment Crew
2014-05-19The New York TimesMichael S. Schmidt, David E. Sanger
@online{schmidt:20140519:5:fcd4c7c, author = {Michael S. Schmidt and David E. Sanger}, title = {{5 in China Army Face U.S. Charges of Cyberattacks}}, date = {2014-05-19}, organization = {The New York Times}, url = {https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html}, language = {English}, urldate = {2020-01-13} } 5 in China Army Face U.S. Charges of Cyberattacks
Comment Crew
2014-03-12FireEyeNed Moran, Mike Oppenheim
@online{moran:20140312:detailed:79efe09, author = {Ned Moran and Mike Oppenheim}, title = {{A Detailed Examination of the Siesta Campaign}}, date = {2014-03-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html}, language = {English}, urldate = {2019-12-20} } A Detailed Examination of the Siesta Campaign
Comment Crew Siesta
2014-03-06Trend MicroMaharlito Aquino
@online{aquino:20140306:siesta:9a574bc, author = {Maharlito Aquino}, title = {{The Siesta Campaign: A New Targeted Attack Awakens}}, date = {2014-03-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/}, language = {English}, urldate = {2020-01-13} } The Siesta Campaign: A New Targeted Attack Awakens
Comment Crew
2013-02-20FireEyeMandiant
@online{mandiant:20130220:1:7fa9646, author = {Mandiant}, title = {{APT 1 Malware Arsenal Technical Annex}}, date = {2013-02-20}, organization = {FireEye}, url = {https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal}, language = {Mandiant}, urldate = {2020-01-08} } APT 1 Malware Arsenal Technical Annex
bangat
2013-02-19WikipediaVarious
@online{various:20130219:pla:8419d10, author = {Various}, title = {{PLA Unit 61398}}, date = {2013-02-19}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/PLA_Unit_61398}, language = {English}, urldate = {2020-01-08} } PLA Unit 61398
Comment Crew
2013-02-19SymantecSymantec Security Response
@online{response:20130219:apt1:08c1ae6, author = {Symantec Security Response}, title = {{APT1: Q&A on Attacks by the Comment Crew}}, date = {2013-02-19}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew}, language = {English}, urldate = {2019-12-18} } APT1: Q&A on Attacks by the Comment Crew
Comment Crew
2013-02-19FireEyeFireEye
@techreport{fireeye:20130219:apt1:8d8a51a, author = {FireEye}, title = {{APT1: Exposing One of China’s Cyber Espionage Units}}, date = {2013-02-19}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf}, language = {English}, urldate = {2020-01-06} } APT1: Exposing One of China’s Cyber Espionage Units
Comment Crew
2013-02-19SymantecA L Johnson
@online{johnson:20130219:apt1:ee9c94f, author = {A L Johnson}, title = {{APT1: Q&A on Attacks by the Comment Crew}}, date = {2013-02-19}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } APT1: Q&A on Attacks by the Comment Crew
Comment Crew

Credits: MISP Project