Home  >  APT3

APT3 Evaluation: Overview

Adversary Emulated

APT3, Gothic Panda (also referred to as ATT&CK Evaluations Round 1)






Initial Cohort: Carbon Black, Crowdstrike, Endgame, GoSecure, Microsoft, RSA, SentinelOne
Rolling Admissions: Cybereason, F-Secure, FireEye, McAfee, Palo Alto Networks
Note: Initial Cohort results were released on November 29, 2018. Subsequent rolling admissions were released as completed throughout 2019. We announced the closure of APT3 Evaluation on May 1, 2019, releasing the last of the results in October 2019.

Emulation Tools

Scenario 1: Cobalt Strike (https://www.cobaltstrike.com/)
Scenario 2: PowerShell Empire (https://www.powershellempire.com/)

ATT&CK Description

APT3  is a China-based threat group that researchers have attributed to China's Ministry of State Security. [1][2]   This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.   [1][3]   As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.  [4]

Emulation Notes

APT3 relies on harvesting credentials, issuing on-keyboard commands (versus Windows API calls), and using programs already trusted by the operating system (“living off the land”). Similarly, APT3 is not known to do elaborate scripting techniques, leverage exploits after initial access, or use anti-EDR capabilities such as rootkits or bootkits. 

Scenario Overview

Two scenarios emulate publicly reported APT3/Gothic Panda tradecraft and operational flows. In both scenarios, access to the target victim is established. The scenario then proceeds into local/remote discovery, elevation of privileges, grabbing available credentials, then finally lateral movement within the breached network before collecting and exfiltrating sensitive data. Both scenarios include executing previously established persistence mechanisms executed after a simulated time lapse. Red Team tooling is what primarily distinguishes the two scenarios. Cobalt Strike was used to execute the first scenario, while PowerShell Empire was used to execute the second. Using two different toolsets resulted in diversity and an observable variance in the emulation of the APT3/Gothic Panda behaviors.

For details on the APT3 emulation please refer to the Operational Flow.

Additional Resources
  1. Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign
  2. Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3
  3. Operation Double Tap
  4. Buckeye cyberespionage group shifts gaze from US to Hong Kong