APT 3, Gothic Panda, Buckeye

Description

(Recorded Future) APT3 (also known as UPS, Gothic Panda, and TG-0110) is a sophisticated threat group that has been active since at least 2010. APT3 utilizes a broad range of tools and techniques including spear-phishing attacks, zero-day exploits, and numerous unique and publicly available remote access tools (RAT). Victims of APT3 intrusions include companies in the defense, telecommunications, transportation, and advanced technology sectors — as well as government departments and bureaus in Hong Kong, the U.S., and several other countries.

Names

Name	Name-Giver
APT 3	Mandiant
Gothic Panda	CrowdStrike
Buckeye	Symantec
TG-0110	SecureWorks
Bronze Mayfair	SecureWorks
UPS Team	Symantec
Group 6	Talos
Red Sylvan	PWC
Brocade Typhoon	Microsoft

Country

• China

Sponsor

State-sponsored, Ministry of State Security and Internet security firm Guangzhou Bo Yu Information Technology Company Limited (“Boyusec”)

Motivation

• Information theft and espionage

First Seen

2007

Observed Sectors

• Aerospace
• Construction
• Defense
• High-Tech
• Manufacturing
• Technology
• Telecommunications
• Transportation

Observed Countries

• Belgium
• Hong Kong
• Italy
• Luxembourg
• Philippines
• Sweden
• UK
• USA
• Vietnam

Tools

• APT3 Keylogger
• Bemstour
• DoublePulsar
• EternalBlue
• HTran
• Hupigon
• LaZagne
• OSInfo
• Pirpi
• PlugX
• RemoteCMD
• shareip
• TTCalc
• w32times
• several 0-days for IE, Firefox and Flash

Operations

• 2007: Hupigon and Pirpi Backdoors https://www.fireeye.com/blog/threat-research/2010/11/ie-0-day-hupigon-joins-the-party.html
• 2014-04: Operation “Clandestine Fox” FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue. https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
• 2014-06: Operation “Clandestine Fox”, Part Deux While Microsoft quickly released a patch to help close the door on future compromises, we have now observed the threat actors behind “Operation Clandestine Fox” shifting their point of attack and using a new vector to target their victims: social networking. https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html
• 2014-11: Operation “Double Tap” This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113. https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
• 2015-06: Operation “Clandestine Wolf” In the last several weeks, APT3 actors launched a large-scale phishing campaign against organizations in the following industries: Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications and Transportation. https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html
• 2016-03: Variant of the DoublePulsar Backdoor Beginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor that was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar. https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit https://research.checkpoint.com/upsynergy/
• 2016-03: Buckeye cyberespionage group shifts gaze from US to Hong Kong https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

Counter Operations

• 2017-11: DOJ reveals indictment against Chinese cyber spies that stole U.S. business secrets https://www.cyberscoop.com/boyusec-china-doj-indictment/
• 2017-11: U.S. Charges Three Chinese Hackers Who Work at Internet Security Firm for Hacking Three Corporations for Commercial Advantage https://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations

Information

• https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/
• https://www.recordedfuture.com/chinese-mss-behind-apt3/

Mitre Attack

• https://attack.mitre.org/groups/G0022/

Other Information

Uuid

92ced576-2522-4b79-8645-baa5e84ffee3

Last Card Change

2025-06-28