• APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
• APT1 maintains an extensive infrastructure of computer systems around the world.
• In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
• The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
• In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
• Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.

The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1. We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398. However, we admit there is one other unlikely possibility:

A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.

Mandiant APT1 Report (PDF)