The Archivist: APT1

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 5

China (PLA Unit 61398)

G0006

★★★★★

risk 4/5

✦ The Archivist ✦

APT1

Comment Crew · Comment Panda · Shanghai Group · Unit 61398

AerospaceEnergyTelecommunicationsIT20 identified industries

Active since ~2006 · Intellectual property theft, Economic espionage, Strategic intelligence

It does not want power. It wants knowledge - specifically, your knowledge. Blueprints, contracts, research data: The Archivist catalogs and carries everything across the Pacific for the benefit of state industry.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1071.001

Web Protocols

Command and Control

T1005

Data from Local System

Collection

T1566.001

Spearphishing Attachment

Initial Access

T1083

File and Directory Discovery

Discovery

T1134

Access Token Manipulation

Privilege Escalation

Notable Operations

◆Mandiant APT1 report exposure (2013)
◆Theft of F-35 design documents
◆Dual-use technology exfiltration campaign
◆Hundreds of terabytes stolen over years

Defenses

▸
Data Loss Prevention (DLP) on egress channels
CIS Control 13 ↗
▸
Classification and tagging of sensitive IP
NIST CSF: PR.DS ↗
▸
Outbound traffic inspection and proxy enforcement
CIS Control 9 ↗
▸
Insider threat and data exfiltration behavioral monitoring
NIST CSF: DE.CM ↗

Reversed: Their Weakness

The 2013 Mandiant report named APT1's operators by name, photographed their building, and published their real-person identities. Exposure forced a years-long operational pause.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Serpent Next →The Ten Thousand

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.