The Mysterious Return of Years-Old APT1 Malware

Security researchers have discovered a new instance code associated with APT1, a notorious Chinese hacking group that disappeared in 2013.

IN 2013, CYBERSECURITY firm Mandiant published a blockbuster report on a state-sponsored hacking team known as APT1, or Comment Crew. The Chinese group achieved instant infamy, tied to the successful hacks of more than 100 US companies and the exfiltration of hundreds of terabytes of data. They also vanished in the wake of being exposed. Now, years later, researchers from security firm McAfee say they’ve found code based on APT1–associated malware cropping up in a new set of attacks.

Specifically, McAfee has found malware that reuses a portion of the code found in an implant called Seasalt, which APT1 introduced sometime around 2010. Lifting and repurposing pieces of malware is not an unusual practice, especially when those tools are widely available or open source. Look no further than the rash of attacks based on EternalBlue, the leaked NSA tool. But source code used by APT1, McAfee says, never became public, nor did it wind up on the black market. Which makes its reappearance something of a mystery.

“When we picked up the samples and we found code reuse for Comment Crew,” says McAfee chief scientist Raj Samani, “all of a sudden it was like an ‘oh shit’ moment.”

Attack Zones

McAfee says it has seen five waves of attacks using the remixed malware, which it calls Oceansalt, dating back to May of this year. The attackers crafted spearphishing emails, with infected Korean-language Excel spreadsheet attachments, and sent them to targets who were involved in South Korean public infrastructure projects and related financial fields.

“They knew the people to target,” Samani says. “They had identified the targets that they needed to manipulate into opening these malicious documents.”

“All of a sudden it was like an ‘oh shit’ moment.”


Victims who opened those documents unwittingly installed Oceansalt. McAfee believes the malware was used for initial reconnaissance, but had the ability to take control both of the system it infected and any network that device connected to. “The access that they had was quite significant,” says Samani. “Everything from getting full insight into the file structure, being able to create files, delete files, being about to list processes, terminate processes.”

While the initial attacks focused on South Korea—and appear to have been instigated by people fluent in Korean—they at some point spread to targets in the United States and Canada, focusing especially on the financial, health care, and agricultural industries. McAfee says it’s not aware of any obvious ties between the impacted companies and South Korea, and that the move West may have been a separate campaign.

McAfee does note some differences between Oceansalt and its precursor. Seasalt, for instance, had a persistence method that let it remain on an infected device even after a reboot. Oceansalt does not. And where Seasalt sent data to the control server unencrypted, Oceansalt employs an encoding and decoding process.

Still, the two share enough code that McAfee is confident in the connection. It’s far less certain, though, about who’s behind it.

Who Done It?

It’s hard to overstate just how capable APT1 was, and how unprecedented Mandiant’s insights were at the time. “APT1 were extraordinarily prolific,” says Benjamin Read, senior manager for cyberespionage analysis at FireEye, which acquired Mandiant in 2014. “They were one of the highest in terms of volume. But volume can also allow you to build a pattern of life. When you’re doing that much stuff, you’re going to have slip-ups that expose some of the backend.”

It’s probably not accurate to say that APT1 disappeared after the Mandiant report. It’s just as likely that the unit’s hackers continued to work for China under a different guise. But it is true, Read says, that the tactics, the infrastructure, and specific malware associated with the group haven’t seen the light of day in those five years.

It’s tempting to think, perhaps, that McAfee’s find means that APT1 is back. But attribution is hard under any circumstances, and Oceansalt is no smoking gun. In fact, McAfee sees a few distinct possibilities as to its provenance.

“Either it’s the re-emergence of this group, or potentially you’re looking at state-to-state collaboration with regards to a major espionage campaign, or somebody’s trying to point the finger at the Chinese,” says Samani. “Either one of those three scenarios is quite significant.”

Despite a mounting hacking threat from China, McAfee’s own report considers it “unlikely” that Oceansalt actually marks the return of APT1. Even assuming those hackers are still active somewhere in the Chinese system, why return to tools that had previously been exposed?

Then there’s the possibility that an actor has somehow acquired the code, either directly from China or through other unknown means. “It is possible, very possible, that this was potentially an intended collaboration. Or the source code has been stolen, or something along those lines as well. In some way, shape, or form, that code got into the hands of another threat actor group that is fluent in Korean,” says Samani.

An intriguing possibility, and also hard to pin down. Similarly, the “false flag” option—that a hacking group wants to create cover by making it look like China is responsible—isn’t without precedent, but there are easier ways to mask your activities.

“The place we do see a lot of this, a lot of espionage groups use open source or publicly available tools,” says FireEye’s Read. “It means you don’t have to develop custom stuff, and it’s harder to link things based on malware. It can obfuscate what’s behind it, without implying it’s someone else specifically.”

That there are no good answers around Oceansalt only adds to the intrigue. In the meantime, potential targets should be aware that a long-abandoned malware appears to have returned, creating brand new problems for its victims.