APT3

apt3 · primary source: MITRE · first observed 2009 · last observed 2017

CN · ChinaState-sponsoredHigh confidencelast cited Nov 27, 2017 · 8y ago

PRC state-affiliated intrusion set publicly attributed by the U.S. DOJ to the Guangzhou-based front company Boyusec (Guangzhou Bo Yu Information Technology), working in concert with the Ministry of State Security's Guangdong State Security Department. Historically notable for weaponizing equation-group-style exploits (EternalBlue precursors) against U.S. corporate targets including Moody's, Siemens, and Trimble. DOJ unsealed an indictment of Wu Yingzhuo, Dong Hao, and Xia Lei in November 2017; Boyusec subsequently dissolved as a public-facing entity.

Aliases

Gothic PandaCrowdStrikeBuckeyeOtherUPS TeamOtherTG-0110Other

Motivations

espionage

Target sectors

technologyengineeringprofessional servicesmanufacturingfinancial

Target countries

USGBDEHK

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

APT3
China
espionage

Capability

Infrastructure

—

Victim

technology
engineering
professional services
US
GB
+1 more

MITRE ATT&CK techniques

T1190 T1078 T1059.003 T1071.001

Tools & malware

1 entry

PlugXRAT

Timeline

1 event

IndictmentHigh2017-11-28·U.S. Department of Justice
DOJ unseals APT3/Boyusec indictment of three Chinese nationals
U.S. DOJ unsealed an indictment of Wu Yingzhuo, Dong Hao, and Xia Lei — three Chinese nationals working at Guangzhou Bo Yu Information Technology (Boyusec) — for computer hacking, trade-secret theft, and aggravated identity theft against Moody's Analytics, Siemens AG, and Trimble Inc. Boyusec was publicly linked by independent researchers (Intrusion Truth) to the Chinese MSS Guangdong State Security Department and to APT3 itself; the company subsequently dissolved as a public-facing entity.
indictmenttrade-secret-theftchina

Indicators of compromise

1 indicator

defangedcsv

Type	Value	First seen	Source
Name	Pirpi (RSFuncs / sslshell) family · Pirpi Custom Windows RAT used by APT3 (Gothic Panda / TG-0110 / UPS) in browser zero-day campaigns. Group is attributed to Guangzhou Bo Yu Information Technology Co., Ltd. (Boyusec), a MSS contractor. On 27 November 2017 the U.S. DOJ unsealed an indictment against Boyusec employees Wu Yingzhuo, Dong Hao and Xia Lei for intrusions into Moody's, Siemens and Trimble between 2011 and 2017.	Dec 31, 2009	U.S. Department of Justice

Related actors

shared ATT&CK techniques

CN · ChinaFlax Typhoon3 shared techniques
KP · DPRKAndariel2 shared techniques
- T1078
- T1190
IR · IranAPT392 shared techniques
- T1071.001
- T1078
RU · RussiaDragonfly2 shared techniques
- T1078
- T1190
CN · ChinaGTG-10022 shared techniques
- T1078
- T1190
IR · IranPioneer Kitten2 shared techniques
- T1078
- T1190

References

cite this page

Threat Intel Tracker. (2026-05-19). APT3 — actor profile. Retrieved from https://threatintel.local/actors/apt3

latest cited activity · 2017-11-28 · 1 cataloged indicators