> threat_actor APT1 —— origin: PRC (PLA Unit 61398) —— alias: Comment Crew —— victims: 141 organisations —— data stolen: hundreds of terabytes<span class="cursor-blink">_</span>_
APT1 — also known as the Comment Crew, Comment Group, Comment Panda, Byzantine Candor, Shanghai Group, and TG-8223 — is a Chinese state-sponsored cyber espionage group attributed to the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's 3rd Department, identified by its Military Unit Cover Designator (MUCD) as Unit 61398. Operating from a 12-storey building off Datong Road in the Pudong New Area of Shanghai, APT1 conducted what Mandiant described as 'a multi-year, enterprise-scale computer espionage campaign' — systematically stealing hundreds of terabytes of intellectual property from at least 141 organisations across 20 major industries since 2006.
APT1 is not just another threat actor profile. It is the threat actor that created the threat intelligence industry as we know it. Mandiant's February 2013 report — APT1: Exposing One of China's Cyber Espionage Units — was the first time a private security firm publicly attributed a sustained cyber espionage campaign directly to a specific military unit of a nation state, named individual operators, traced activity to physical buildings and IP addresses, and released over 3,000 indicators of compromise to enable global defence. The report forced the US government to act, leading to the unprecedented 2014 indictment of five PLA officers by the Department of Justice. Every threat intelligence report published since — including the profiles on this blog — follows the template that Mandiant established with APT1.
The name 'Comment Crew' derives from the group's signature technique: their WEBC2 backdoors retrieved commands hidden within HTML comment tags on attacker-controlled web pages. The malware would request a seemingly ordinary web page, then parse the HTML comments for encoded instructions. It was an elegant, stealthy approach — HTTP requests to web pages blend perfectly with normal internet traffic, and the commands themselves were invisible to anyone casually viewing the page source.
| Attribute | Detail |
|---|---|
| Tracked Names | APT1 (Mandiant), Comment Crew / Comment Group / Comment Panda (CrowdStrike), Byzantine Candor (US Intelligence Community codename, in use since 2002), Shanghai Group, BrownFox, GIF89a, TG-8223. |
| State Sponsor | People's Republic of China — People's Liberation Army (PLA), 2nd Bureau of the General Staff Department's 3rd Department, Military Unit Cover Designator 61398. Following the 2015 PLA military reforms, capabilities previously housed in the GSD 3rd Department and 4th Department were unified within the newly established PLA Strategic Support Force (SSF), now the PLA Information Support Force. Unit 61398's functions transferred to the SSF Network Systems Department. |
| Physical Location | Mandiant traced APT1's operations to a 12-storey building off Datong Road in a public, mixed-use area of Pudong, Shanghai. The building sits within the compound at which Unit 61398 is stationed. From this location, APT1 had direct access to a purpose-built fibre-optic network operated by state-owned China Telecom. Over half of the HTML pages used for WEBC2 command-and-control had domain names registered to Shanghai phone numbers from the Pudong district or Shanghai addresses. |
| Scale of Operations | Public accounts suggest Unit 61398 comprised hundreds, possibly thousands of employees. Mandiant estimated APT1 required the continuous support of several dozen to potentially hundreds of operators, based on the attack infrastructure and regular malware updates directly observed. The group demonstrated the capability to compromise dozens of organisations simultaneously — industrial-scale operations consistent with a military bureau, not a small hacking team. |
| Indicted Individuals | On 19 May 2014, the US Department of Justice indicted five Unit 61398 officers on charges of theft of confidential business information and intellectual property from US commercial firms and planting malware on their computers: Wang Dong (王东, alias 'UglyGorilla'), Sun Kailiang (孙凯亮), Wen Xinyu (文新宇), Huang Zhenyu (黄振宇), and Gu Chunhui (顾春晖). This was the first time the US government criminally charged foreign military officials for economic cyber espionage. |
| Active Period | At least 2006 to 2013 (confirmed by Mandiant). WEBC2 compile timestamps suggest development activity as early as 2004. Following Mandiant's February 2013 report, APT1 shut down command-and-control infrastructure and appears to have ceased operations or fundamentally restructured. The 2015 PLA reforms absorbed its capabilities into the SSF. The group's tradecraft, tools, and source code continue to influence PRC cyber operations — McAfee documented 'Operation Oceansalt' in 2018 using recompiled APT1 source code. |
The scale of APT1's operations is what earned them the title of 'persistent data hoarder'. Unlike threat actors who breach a target, steal what they need, and leave, APT1 maintained access to victim networks for months or years, continuously stealing broad categories of intellectual property. They did not exfiltrate targeted documents — they hoarded everything.
The figure of 6.5 terabytes stolen from a single organisation over ten months deserves emphasis. That is not a targeted extraction of specific files — it is the wholesale copying of an organisation's intellectual capital. Technology blueprints, proprietary manufacturing processes, business plans, pricing documents, negotiation strategies, test results, partnership agreements, emails, and contact lists — APT1 took everything of potential value and continued taking it for as long as they had access.
APT1's targeting was not random. The 20 industries they compromised align precisely with China's strategic economic development priorities — sectors where stolen intellectual property would directly accelerate Chinese industrial capability and reduce dependency on foreign technology.
| Sector | Strategic Value to PRC | Notable Operations |
|---|---|---|
| Aerospace and Defence | Military modernisation, indigenous aircraft and weapons development, reducing dependency on foreign defence technology. | Intrusions into three Israeli defence contractors providing components for Israel's Iron Dome air defence system (2011–2012). Sustained campaigns against US and European aerospace companies. |
| Information Technology | Technology transfer, understanding competitor products, acquiring source code and design documents for Chinese domestic alternatives. | Multiple IT companies compromised simultaneously. Source code, product roadmaps, and proprietary technology designs exfiltrated. |
| Energy and Oil & Gas | Energy security, understanding competitor extraction and processing technology, supporting state-owned energy companies. | Reconnaissance missions against 23 US oil and gas pipeline operators (2011–2013) — assessed as developing cyber capabilities to cause physical damage to pipeline infrastructure. Part of broader Operation ShadyRAT targeting energy sector. |
| Telecommunications | Network architecture intelligence, supporting Chinese telecoms companies' global expansion, potential surveillance access. | Telecommunications providers in the US, Europe, and Asia Pacific targeted for network architecture documentation and technology. |
| Financial Services | Economic intelligence, understanding Western financial system architecture, supporting Chinese financial institutions' global operations. | Banking and financial institutions targeted for internal processes, technology platforms, and strategic planning documentation. |
| Manufacturing and Chemicals | Proprietary manufacturing processes, chemical formulations, industrial engineering designs — directly transferable to Chinese state-owned enterprises. | Manufacturing companies across multiple sub-sectors compromised. Chemical formulations and industrial process documentation stolen. |
Additional sectors compromised include: navigation, mining, construction, agriculture, food, healthcare, education, media, government, and legal services. The breadth is remarkable — APT1 was not a specialist unit targeting a single sector but an industrial-scale intelligence collection operation serving China's comprehensive economic development agenda. The 141 confirmed victims span North America, Europe, Asia-Pacific, the Middle East, and parts of Africa, with the heaviest concentration in the United States.
APT1's signature WEBC2 backdoor family is the reason the group became known as the Comment Crew. The technique is deceptively simple but was remarkably effective for nearly a decade.
Mandiant observed APT1 operators logging into WEBC2 C2 servers and manually editing the HTML files that backdoors would download. Because the encoded commands were difficult to type from memory, operators typically copied and pasted command strings into the HTML files — a small operational detail captured by Mandiant's monitoring that reinforced the human nature of the threat: these were individuals at keyboards, working shifts, making mistakes, following procedures.
| Tool Category | Examples | Purpose |
|---|---|---|
| Beachhead Backdoors (WEBC2 Family) | WEBC2-TABLE, WEBC2-KT3, WEBC2-QBP, WEBC2-UGX, WEBC2-Y21K, WEBC2-CSON, WEBC2-DIV, WEBC2-HEAD, WEBC2-IE, WEBC2-RAVE, WEBC2-YAHOO, and others. | Initial access maintenance. Retrieve web pages from C2 servers and interpret HTML tags as commands. Provide basic capabilities: command shell, file download/execute, sleep. First-stage implant that enables deployment of more capable 'standard' backdoors. |
| Standard Backdoors | BISCUIT, MANITSME, Auriga, Bangat, Helauto, Kurton, MiniASP, ShadyRAT, StarsyPound, Sword, Seasalt. | Full-capability remote access. BISCUIT (named for its 'bdkzt' command) is the best-documented example — supports interactive shell, file management, process enumeration and termination, server listing, registry operations, remote desktop, and screenshot capture. Standard backdoors communicate via HTTP or custom protocols designed to mimic legitimate traffic. |
| Credential Theft Tools | Mimikatz, pwdump, cachedump, ProcDump, Pass-the-Hash Toolkit, lslsass. | Credential harvesting from LSASS memory, registry caches, and SAM databases. Primarily publicly available tools — APT1 did not need to develop custom credential theft tools because existing ones worked perfectly well. |
| Email Exfiltration | GETMAIL, GDOCUPLOAD, MAPIget. | Purpose-built tools for stealing email at scale. GETMAIL extracts emails from Exchange servers. MAPIget uses MAPI protocols for mail access. Reflects the high value APT1 placed on email as an intelligence source — business communications reveal strategy, relationships, and decision-making. |
| Droppers and Downloaders | GLASSES, GOGGLES, LIGHTDART, ManItsMe (attributed to operator UglyGorilla). | Delivery mechanisms for deploying backdoors onto compromised systems. Package malware with phishing lures, handle installation, and ensure persistence. |
| Lateral Movement | PsExec (Microsoft Sysinternals), Windows Task Scheduler, HTRAN (HUC Packet Transmit Tool), RDP. | Moving through victim networks. APT1 used PsExec and Task Scheduler for remote execution — both legitimate tools. HTRAN was used 767 confirmed times to proxy connections through hop points back to Shanghai. Pass-the-Hash attacks enabled movement without needing actual passwords. |
APT1's attack lifecycle was methodical and disciplined — a well-defined methodology honed over years and designed to steal large volumes of data from many organisations simultaneously. Unlike sophisticated threat actors who delete traces after their mission, APT1 maintained access and continued stealing for as long as possible.
One of Mandiant's most impactful decisions was to identify individual APT1 operators — demonstrating that state-sponsored cyber espionage is conducted by real people who make mistakes, leave traces, and can be identified. Three personas were publicly attributed in the original report.
| Persona | Real Name | Key Indicators |
|---|---|---|
| UglyGorilla (UG) | Wang Dong (王东) | APT1's most prolific identified operator. Created tools MANITSME and WEBC2-UGX — both named with his 'UG' identifier embedded. Used the 'UglyGorilla' username consistently across web accounts, hacking forums, and social media — enabling researchers to trace his online activity to Shanghai, to hacking tool development, and ultimately to Unit 61398. Indicted by DOJ in 2014. |
| SuperHard | Mei Qiang (美强) | Used the handle 'SuperHard' in domain registrations and online accounts. Linked to APT1 infrastructure through registration details and operational patterns. Online presence connected to information security topics and Shanghai geography. |
| DOTA | Sun Kailiang (孙凯亮) | Used the handle 'DOTA' across operational infrastructure. Indicted by DOJ alongside UglyGorilla. His identification — like UG's — was possible because of poor operational security: reusing personal handles across operational and personal accounts. |
FireEye later confirmed the DOJ's findings, noting that APT1's intrusion activity followed an '8:00 AM to 5:00 PM' work-day pattern aligned with Shanghai business hours — reinforcing that these operators worked regular shifts in an office environment, not from personal computers. They were military personnel conducting assigned duties.
The Mandiant APT1 report triggered a cascade of consequences that reshaped international cybersecurity policy, the threat intelligence industry, and US-China relations.
APT1 was the most prolific PRC cyber espionage group in terms of sheer data volume, but it was one unit within a much larger ecosystem. Understanding APT1's role requires placing it alongside the other PRC-linked groups that operate with different mandates, target sets, and techniques.
| Group | Affiliation | Focus |
|---|---|---|
| APT1 / Comment Crew | PLA Unit 61398 | Broad industrial espionage — 141+ organisations, 20+ industries, hundreds of terabytes stolen. Volume-focused collection aligned with China's strategic economic priorities. |
| APT12 / Numbered Panda | PLA | East Asian focus — Taiwanese and Japanese government, media (New York Times breach 2012), high-technology. Known for rapid retooling after public exposure. |
| APT10 / Stone Panda | MSS (Tianjin) | Supply chain attacks via managed service providers (MSPs). Global targeting — healthcare, defence, aerospace, technology. |
| APT40 / Leviathan | MSS (Hainan) | Maritime, defence, aviation — focus on South China Sea territorial interests. Subject of 2024 eight-nation advisory. |
| APT41 / Winnti | MSS (dual-use) | Unique dual espionage and financially motivated operations. Healthcare, telecoms, technology, video games. Supply chain compromises. |
| Volt Typhoon | PRC (unit unknown) | Pre-positioning in US critical infrastructure — water, energy, telecoms, transport. Living-off-the-land techniques. Assessed as preparation for potential conflict scenarios. |
APT1 was the most prolific data thief in the history of documented cyber espionage. Operating as PLA Unit 61398 from a 12-storey building in Shanghai's Pudong district, the group systematically compromised 141 organisations across 20 industries, stealing hundreds of terabytes of intellectual property over a period of at least seven years. Their longest known operation maintained persistent access to a single victim network for nearly five years. Their largest documented single-victim theft was 6.5 terabytes in ten months. They operated at industrial scale, compromising dozens of organisations simultaneously, supported by hundreds of personnel and a purpose-built fibre-optic network.
Mandiant's 2013 report exposing APT1 remains the single most consequential publication in the history of cyber threat intelligence. It demonstrated that a private-sector firm could attribute state-sponsored espionage to a specific military unit, name individual operators, and release actionable intelligence to the global defender community. The report led to the first-ever criminal indictment of foreign military officials for cyber espionage, a bilateral agreement between the US and Chinese presidents, and the birth of the commercial threat intelligence industry. Every threat actor profile, every APT report, every IOC-sharing platform that exists today traces its lineage to Mandiant's decision to publish.
APT1 is no longer active in its original form. But the lessons it teaches are as relevant today as they were in 2013. Dwell time, not initial access, is where the damage accumulates. Spear-phishing remains the primary vector. Attackers use your own tools against you. Data hoarding means everything accessible will be stolen. And the threat actors never really disappear — they restructure, retool, and return under different names with better operational security. The defenders who remember APT1's lessons are better prepared for what comes next.
APT1 maintained access for an average of 356 days per victim. Our penetration testing and red team engagements measure not just whether your perimeter can be breached, but whether your detection and response capabilities can identify and contain an intruder before significant data loss occurs.