APT6 engages in cyber operations where the goal is data theft, most likely data and projects that make an organization competitive within its field. APT6 targeted organizations headquartered in the U.S and U.K.
Name: 1.php Group, APT6
Suspected attribution: China
Date of initial activity: 2008
Targets: China and US relations experts, Defense Department entities, and geospatial groups within the federal government.
Motivation: Information theft and espionage
Associated malware: Poison Ivy (FBI) – BELUGA, EXCHAIN, PUPTENT (FireEye)
Attack vectors: Utilizes several custom backdoors, including some used by other APT groups as well as those that are unique to the group.
How they work: APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file. The payload, Deepen said, is often the Poison Ivy remote access tool/Trojan or similar. The group has varied its command-and-control check-in behavior, but it is typically web-based and sometimes over HTTPS.
The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT 6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data. The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack. “This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost. Details regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks. “Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems.”