Menu
Browse

Cyber Threat Actor: APT1

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
16 incidents
Profile

The threat actor referenced in the sources is a Chinese state‑sponsored group that has been publicly linked to the People’s Liberation Army Strategic Support Force (SSF) by Area 1 Security and described in open‑source reporting as operators believed to be operating out of China. The actor is not given a single public alias in the material, but references to “Chinese government hackers,” “Chinese hackers” and the PLA SSF collectively describe the same entity responsible for the campaigns discussed.

Targeting described in the sources focuses on governmental and diplomatic entities as well as defense‑industry firms. The actor has been observed targeting intergovernmental organizations, ministries of foreign affairs, ministries of finance, trade unions, think tanks, the United Nations, the AFL‑CIO and the European Union’s COREU diplomatic communications network. In a separate campaign the same actors were reported to have compromised Israeli defense contractors—Elisra Group, Israel Aerospace Industries and Rafael Advanced Defense Systems—seeking intellectual property related to missile defense, unmanned aerial vehicles and ballistic rockets. These targeting patterns indicate a focus on government‑affiliated sectors in Europe and the Middle East, with an emphasis on diplomatic, financial, trade‑policy and defense‑industry interests.

Strategic objectives articulated by the reporting sources describe the actor’s cyber campaigns as tools for waging war, influencing global trade, stealing intellectual property and financial assets, conducting espionage and producing broader geopolitical effects. This characterization comes directly from statements made by the CEO of Area 1 Security, who framed the activity as a routine instrument of statecraft rather than an isolated or speculative motive.

The tactics, techniques and procedures highlighted in the material emphasize phishing as the dominant initial access vector, described as the method used in nine out of ten intrusions attributed to the group. The actor’s approach is characterized as an “assembly line” operation rather than a series of highly novel or cutting‑edge technical exploits, implying a reliance on repeatable, low‑complexity techniques rather than bespoke malware families. No specific malware families or custom tooling are named in the sources; the emphasis is on the repetitive use of credential‑harvesting or lure‑based emails to gain entry to target networks.

Attribution is explicitly stated in the Area 1 Security report, which ties the observed activity to the PLA’s Strategic Support Force, while the Krebs on Security article notes that the attackers were thought to be operating out of China, linking the intrusions to Chinese state‑backed actors without naming a specific military unit.

Two representative campaigns are highlighted in the sources. The first is the intrusion into the European Union’s COREU network, which the report links to the PLA SSF and describes as part of a broader effort to access diplomatic cables and intergovernmental communications. The second is the series of intrusions against Israeli defense contractors between October 2011 and August 2012, during which attackers exfiltrated large volumes of technical data related to Arrow III missiles, UAVs and ballistic rockets, an operation attributed to Chinese hackers seeking intelligence on Israel’s Iron Dome‑related missile‑defense programs. These incidents illustrate the actor’s recurring focus on high‑value government and defense‑sector targets using relatively conventional phishing‑based intrusion methods.

Incidents
Attributed incidents available to members
15 incidents
Sources
Sources available to members
2 sources