{
	"id": "fb8755c6-8d80-4ba9-b1c2-786a9cd69506",
	"created_at": "2026-04-06T00:17:58.651322Z",
	"updated_at": "2026-04-10T13:11:47.356327Z",
	"deleted_at": null,
	"sha1_hash": "30385c5bbf3c93dc7771e486b9bc8ed5e2674f98",
	"title": "FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37401,
	"plain_text": "FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data\r\nStolen\r\nBy Tom Spring\r\nPublished: 2016-04-07 · Archived: 2026-04-05 13:45:58 UTC\r\nFBI owns up to state-sponsored hackers, known as APT6, who have infiltrated government systems for years\r\npilfering sensitive data.\r\nThe FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US\r\ngovernment computer systems as far back as 2011 and for years stole sensitive data.\r\nThe FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now\r\nshining a bright light on the alert and the mysterious group behind the attack.\r\n“This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to\r\nmitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said\r\nDeepen Desai, director of security research at the security firm Zscaler in an email to Threatpost.\r\nDetails regarding the actual attack and what government systems were infected are scant. Government officials\r\nsaid they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks.\r\n“Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope\r\nof lateral movement inside the compromised network is very high possibly exposing all the critical systems,”\r\nDeepen said.\r\nIn its February bulletin, the FBI wrote: “The FBI has obtained and validated information regarding a group of\r\nmalicious cyber actors who have compromised and stolen sensitive information from various government and\r\ncommercial networks.\r\nThe FBI said the “group of malicious cyber actors” (known as APT6 or 1.php) used dedicated top-level domains\r\nin conjunction with the command and control servers to deliver “customized malicious software” to government\r\ncomputer systems. A list of domains is listed in the bulletin.\r\n“These domains have also been used to host malicious files – often through embedded links in spear phish emails.\r\nAny activity related to these domains detected on a network should be considered an indication of a compromise\r\nrequiring mitigation and contact with law enforcement,” wrote the FBI in its bulletin.\r\nWhen asked for attack specifics, the FBI declined Threatpost’s request for an interview. Instead, FBI\r\nrepresentatives issued a statement calling the alert a routine advisory aimed at notifying system administrators of\r\npersistent cyber criminals. “The release was important to add credibility and urgency to the private sector\r\nannouncements and ensure that the message reached all members of the cyber-security information sharing\r\nnetworks,” wrote the FBI.\r\nhttps://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/\r\nPage 1 of 2\n\nDeepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US\r\nrelations experts, Defense Department entities, and geospatial groups within the federal government. According to\r\nDeepen, APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to\r\nmalware infected websites that contains a malicious SCR file. The payload, Deepen said, is often the Poison Ivy\r\nremote access tool/Trojan or similar. He said the group has varied its command-and-control check-in behavior, but\r\nit is typically web-based and sometimes over HTTPS.\r\nExperts believe that attacks are widespread and not limited to the US federal government systems. “The same or\r\nsimilar actors are compromising numerous organizations in order to steal sensitive intellectual property,” wrote\r\nZscaler in a past report on APT6.\r\nIn December 2014, US government systems were compromised by hackers who broke into the Office of\r\nPersonnel Management computer systems. That data breach, where 18 million people had their personal\r\nidentifiable information stolen, didn’t come to light until months later in June of 2015.\r\nSource: https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/\r\nhttps://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/"
	],
	"report_names": [
		"117267"
	],
	"threat_actors": [
		{
			"id": "0e03175d-b1fe-4d4e-bd3a-a8c0feb5eb43",
			"created_at": "2023-01-06T13:46:38.705578Z",
			"updated_at": "2026-04-10T02:00:03.073956Z",
			"deleted_at": null,
			"main_name": "APT6",
			"aliases": [
				"1.php Group"
			],
			"source_name": "MISPGALAXY:APT6",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434678,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30385c5bbf3c93dc7771e486b9bc8ed5e2674f98.pdf",
		"text": "https://archive.orkl.eu/30385c5bbf3c93dc7771e486b9bc8ed5e2674f98.txt",
		"img": "https://archive.orkl.eu/30385c5bbf3c93dc7771e486b9bc8ed5e2674f98.jpg"
	}
}