Skip to content
WARNING: The content here only serves educational purpose. You are fully responsible for your actions.
We do not encourage any kind of sensitive activity or crime.

APT1's poor identity segmentation

Introduction

When it comes to OPSEC, government agents sometimes tend to forget the basic steps because of a sense of superiority. In many cases, this kind of behavior leads to serious issues. We have already seen examples of this with the identification of the Israeli spy chief or the downfall of Uzbek state hackers. In this blog post, we will discuss Chinese government hackers and how their poor OPSEC practices led to their identification.

What is APT1

APT1, also known as PLA Unit 61398, is a hacker unit of the Chinese government whose role is to perform cyber attacks on other governments and foreign corporations. This unit is known by the US government for stealing data from US corporations and deploying malware on US computers.

The group often compromises internal software "comment" features on legitimate web pages to infiltrate target computers that access the sites, leading it to be known as "the Comment Crew" or "Comment Group".

The Chinese government has consistently denied their link with this group of hackers and are publicly declaring that any declarations against their story telling is "unprofessional".

What are their targets and why

As we saw earlier, APT1 targets foreign governments and corporations. However, it is important to understand exactly who their targets are and why they are targeted.

Not all of the targets are known, but here are some of the main ones that have already been identified:

  • Lockheed Martin: This corporation is an American defense and aerospace manufacturer. It was targeted because of the sensitivity of its information and the potential impact such data could have on the balance of power in a possible conflict between China and the United States.

  • Telvent: This corporation is an information technology and industrial automation company. It develops products for pipeline systems, energy utilities, traffic management, agriculture, and environmental monitoring industries. This organization represents a valuable target because compromising its systems could potentially disrupt critical infrastructure.

  • Alcoa Corporation: This company is an American industrial corporation that produces aluminum and is known as one of the largest aluminum producers in the world. Because it produces and sells a major raw material used in many industries, it can be considered a strategic target that could affect industrial productivity and the economy.

  • Westinghouse Electric Company: This corporation is an American nuclear power company. It provides nuclear products and services to utilities worldwide, including nuclear fuel, maintenance services, instrumentation, control systems, and nuclear power plant design. Targeting such a company could have strategic implications related to energy infrastructure and industrial knowledge.

As you can see, APT1 targeted high-value corporations in order to gain influence on the global stage. Even though China was not in an official conflict with these governments, these actions were carried out to strengthen its strategic position against them. By gathering sensitive data from potential rivals, China could improve its technologies and strategies in order to remain prepared for possible conflicts. Moreover, stealing technological information can also contribute to improving its economy.

What mistakes were made

Poor identity segmentation

The first mistake they made was poor identity segmentation. To illustrate this, we can look at the example of โ€œUgly Gorilla,โ€ one of the hackers from the APT1 team. He used this nickname to perform his sensitive activities and also signed his code with it. This helped opponents identify him as โ€œUgly Gorilla.โ€

At first glance, this might not seem like a problem since it is only a nickname. However, the real issue is that this nickname had previously been used and registered on software development forums before he began his sensitive activities. When he registered it, he linked it to personal information.

As a result, when โ€œUgly Gorillaโ€ signed his code and even used the same initials in domain names related to his sensitive activities, he made it easier for researchers to find personal information about him.

By doing this, โ€œUgly Gorillaโ€ failed to properly separate his identities, which eventually allowed the US government to identify him easily.

This is a basic principle of OPSEC. Never perform any sensitive activities using an identity that can be linked to your real one.

Poor Login/Password creation procedures

The second mistake made by the hackers was following poor login and password creation practices. To be honest, I strongly assume that there was no procedure at all.

When creating email addresses or social media accounts used for their sensitive activities, the hacker known as โ€œDotaโ€ repeatedly used his nickname in each of them. Here are some examples:

d0ta010@hotmail.com

dota.sb005@gmail.com

dota.d013@gmail.com - these Gmail accounts actually numbered over a dozen, from dota.d001 through to dota.d015

a Facebook account - do.ta.5011

As you can see, all of these accounts are easy to connect to โ€œDota.โ€ The issue here is that even if an action was performed without being immediately linked to the APT1 team, the presence of the โ€œDotaโ€ nickname in the email address or social network account automatically created a connection to him.

By using a randomizer, as described in this blog post, this mistake could have been avoided.

Regarding the passwords, the hackers used easy to find ones, using keyboard patterns like โ€œqwertyโ€ or โ€œ1qaz2wsxโ€. They even used "rootkit" as a password for rootkit.com.

When it comes to password creation, it is super important to randomize them and use a secured password manager to handle it.

Adherence to local time zone and time patterns

Here is something that most people don't consider when conducting sensitive activities online: the timeframe in which you operate can reveal a lot about your location.

In the case of APT1, researchers noticed that their activities took place primarily during Beijing business hours. This observation provided two key insights: first, that the actors were likely located in Beijing, and second, that these operations were carried out as part of a regular workday, suggesting they performed these activities in an official or organizational capacity. This assumption was further reinforced by the fact that APT1 members consistently took weekends off, which aligned with a typical workweek schedule and supported the conclusion that their operations were organized as part of a formal employment structure.

When conducting sensitive activities online, it is crucial to think like the person tracking you. This means taking every step to make your actions appear as random as possible, including varying the times at which you operate.

Although it may seem tedious at first, randomizing your โ€œwork hoursโ€ is essential. Keep in mind that traditional shifts and weekends off do not exist in the context of sensitive online operations. Operate during the day one day and at night the next. If you need a break, take it on an unpredictable day rather than consistently on weekends.

If possible, try to automate some of your actions so they occur at varying hours. This can help break predictable patterns in your activity. Running a home server can be particularly useful for implementing such automation effectively.

Most mistakes in this area stem from habitual behavior. When you let your habits dictate your actions, you become predictable and easy to anticipate. By consciously randomizing your activities, you make it far more difficult for others to track or understand your patterns.

What do we learn from it

Once again, this case demonstrates that governments are quite bad at conducting sensitive activities online. Whether this is due to overconfidence or gaps in skills and knowledge is unclear, but the examples presented in the OPSEC Mistakes section of this blog illustrate that many governments display lax practices. This is encouraging for the populations, as it means that well-prepared and skilled individuals can observe and counteract their actions.

However, it is crucial for us to learn from their mistakes to avoid repeating them. Continuously improve your OPSEC, remain cautious and diligent, and maintain your invisibility online.


Suggest changes
Crabmeat 2026-03-05
Donate XMR to the author:
89aWkJ8yabjWTDYcHYhS3ZCrNZiwurptzRZsEpuBLFpJgUfAK2aj74CPDSNZDRnRqeKNGTgrsi9LwGJiaQBQP4Yg5YtJw2U