APT3 hackers who stole ASIO blueprints linked to Chinese govt

Researchers have identified a contractor for China's Ministry of State Security as the APT3 hacking group behind multiple network intrusions over the past few years.

APT3 was the group responsible for the 2013 hack that saw the blueprints for the new ASIO building in Canberra stolen through malware uploaded to an employee's laptop.

APT3 is also known as BuckEye, UPS Team, Gothic Panda and TG-011, and has been active since 2011, security vendor Recorded Future said.

While other security vendors have suspected APT3 is China-based, no concrete connection until now has been made.

An anonymous researcher known as IntrusionTruth linked two Chinese individuals to a cyber security firm called Boyusec by analysing domain registrations for the APT3 group's malware attacks.  Recorded Future confirmed the link.

Domain names used by attackers for the command and control servers for the Pirpi backdoor malware had previously been published by FireEye; IntrusionTruth tied these to the two Chinese individuals via whois registration records.

The two are shareholders in Boyusec, a security vendor licensed by the Chinese government.

Boyusec was last year alleged by the United States government to be working with the Ministry of State Security Intelligence (MSSI), as well as telco supplier Huawei, on cyberespionage operations.

APT3's main activity appears to be targeting aerospace and defence, construction, high-tech, telcos and transportation organisations.

Security vendor FireEye in June 2015 said APT3 was responsible for the large-scale "Operation Clandestine Wolf" phishing attacks in South East Asia, which exploited a zero-day vulnerability in Adobe Flash to implant a backdoor into the victim's system.

Phishing is the group's favoured attack method. It uses this approach to plant malware that installs remote access tools on targets' computers to steal information.