{ "id": "e0bc88d3-d36d-49ea-a1de-937cb7597176", "created_at": "2026-04-06T00:10:11.644253Z", "updated_at": "2026-04-10T03:37:26.209108Z", "deleted_at": null, "sha1_hash": "38a5cc2d66914089971edbce1748bfe048527edf", "title": "Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3 | Recorded Future", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1951437, "plain_text": "Recorded Future Research Concludes Chinese Ministry of State\r\nSecurity Behind APT3 | Recorded Future\r\nBy INSIKT GROUP\r\nArchived: 2026-04-05 21:33:43 UTC\r\nThis is the first time researchers have been able to attribute a threat actor group with a high degree of confidence\r\nto the Ministry of State Security.\r\nKey Takeaways\r\nAPT3 is the first threat actor group that has been attributed with a high degree of confidence directly to the\r\nChinese Ministry of State Security (MSS).\r\nOn May 9, a mysterious group called “intrusiontruth” attributed APT3 to a company, Guangzhou Boyu\r\nInformation Technology Company, based in Guangzhou, China.\r\nRecorded Future’s open source research and analysis has corroborated the company, also known as\r\nBoyusec, is working on behalf of the Chinese Ministry of State Security.\r\nCustomers should re-examine any intrusion activity known or suspected to be APT3 and all activity from\r\nassociated malware families as well as re-evaluate security controls and policies.\r\nIntroduction\r\nOn May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of\r\nState Security (MSS) as the group behind the APT3 cyber intrusions.\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 1 of 9\n\nRecorded Future timeline of APT3 victims.\r\nScreenshot of a blog post from “intrusiontruth in APT3.”\r\n“Intrusiontruth” documented historic connections between domains used by an APT3 tool called Pirpi and two\r\nshareholders in a Chinese information security company named Guangzhou Boyu Information Technology\r\nCompany, Ltd (also known as Boyusec).\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 2 of 9\n\nRegistration information for a domain linked to the malware Pirpi. The details show the domain was registered to\r\nDong Hao and Boyusec.\r\nAPT3 has traditionally targeted a wide-range of companies and technologies, likely to fulfill intelligence\r\ncollection requirements on behalf of the MSS (see research below). Recorded Future has been closely following\r\nAPT3 and has discovered additional information corroborating that the MSS is responsible for the intrusion\r\nactivity conducted by the group.\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 3 of 9\n\nRecorded Future Intelligence Card™ for APT3.\r\nBackground\r\nAPT3 (also known as UPS, Gothic Panda, and TG-011) is a sophisticated threat group that has been active since at\r\nleast 2010. APT3 utilizes a broad range of tools and techniques including spearphishing attacks, zero-day exploits,\r\nand numerous unique and publicly available remote access tools (RAT). Victims of APT3 intrusions include\r\ncompanies in the defense, telecommunications, transportation, and advanced technology sectors — as well as\r\ngovernment departments and bureaus in Hong Kong, the U.S., and several other countries.\r\nAnalysis\r\nOn Boyusec’s website, the company explicitly identifies two organizations that it cooperatively partners with,\r\nHuawei Technologies and the Guangdong Information Technology Security Evaluation Center (or Guangdong\r\nITSEC).\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 4 of 9\n\nScreenshot of Boyusec’s website where Huawei and Guangdong ITSEC are\r\nidentified as collaborative partners.\r\nIn November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed\r\na product that Boyusec and Huawei were jointly producing. According to the Pentagon’s report, the two\r\ncompanies were working together to produce security products, likely containing a backdoor, that would allow\r\nChinese intelligence “to capture data and control computer and telecommunications equipment.” The article\r\nquotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that\r\nBoyusec appears to be a cover company for the MSS.\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 5 of 9\n\nImagery ©2017 DigitalGlobe, Map data ©2017\r\nBoyusec is located in Room 1103 of the Huapu Square West Tower in Guangzhou, China.\r\nBoyusec’s work with its other “cooperative partner,” Guangdong ITSEC, has been less well-documented. As will\r\nbe laid out below, Recorded Future’s research has concluded that Guangdong ITSEC is subordinate to an MSS-run\r\norganization called China Information Technology Evaluation Center (CNITSEC) and that Boyusec has been\r\nworking with Guangdong ITSEC on a joint active defense lab since 2014.\r\nGuangdong ITSEC is one in a nation-wide network of security evaluation centers certified and administered by\r\nCNITSEC. According to Chinese state-run media, Guangdong ITSEC became the sixteenth nationwide branch of\r\nCNITSEC in May 2011. Guangdong ITSEC’s site also lists itself as CNITSEC’s Guangdong Office on its header.\r\nAccording to academic research published in China and Cybersecurity: Espionage, Strategy, and Politics in the\r\nDigital Domain, CNITSEC is run by the MSS and houses much of the intelligence service’s technical cyber\r\nexpertise. CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.”\r\nPer a 2009 U.S. State Department cable, it is believed China may also use vulnerabilities derived from\r\nCNITSEC’s activities in intelligence operations. CNITSEC’s Director, Wu Shizhong, even self-identifies as MSS,\r\nincluding for his work as a deputy head of China’s National Information Security Standards Committee as\r\nrecently as January 2016.\r\nRecorded Future research identified several job advertisements on Chinese-language job sites such as\r\njobs.zhaopin.com, jobui.com, and kanzhun.com since 2015, Boyusec revealed a collaboratively established joint\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 6 of 9\n\nactive defense lab (referred to as an ADUL) with Guangdong ITSEC in 2014. Boyusec stated that the mission of\r\nthe joint lab was to develop risk-based security technology and to provide users with innovative network defense\r\ncapabilities.\r\nchinese-mss-behind-apt3-7.png\r\nJob posting where Boyusec highlights the joint lab with Guangdong ITSEC. The translated text is, “In 2014,\r\nGuangzhou Boyu Information Technology Company and Guangdong ITSEC cooperated closely to establish a\r\njoint active defense lab (ADUL).”\r\nConclusion\r\nThe lifecycle of APT3 is emblematic of how the MSS conducts operations in both the human and cyber domains.\r\nAccording to scholars of Chinese intelligence, the MSS is composed of national, provincial, and local elements.\r\nMany of these elements, especially at the provincial and local levels, include organizations with valid public\r\nmissions to act as a cover for MSS intelligence operations. Some of these organizations include think tanks such\r\nas CICIR, while others include provincial-level governments and local offices.\r\nIn the case of APT3 and Boyusec, this MSS operational concept serves as a model for understanding the cyber\r\nactivity and lifecycle:\r\nWhile Boyusec has a website, an online presence, and a stated “information security services” mission, it\r\ncites only two partners, Huawei and Guangdong ITSEC.\r\nIntrusiontruth and the Washington Free Beacon have linked Boyusec to supporting and engaging in cyber\r\nactivity on behalf of the Chinese intelligence services.\r\nRecorded Future’s open source research has revealed that Boyusec’s other partner is a field office for a\r\nbranch of the MSS. Boyusec and Guangdong ITSEC have been documented working collaboratively\r\ntogether since at least 2014.\r\nAcademic research spanning decades documents an MSS operational model that utilizes organizations,\r\nseemingly without an intelligence mission, at all levels of the state to serve as cover for MSS intelligence\r\noperations.\r\nAccording to its website, Boyusec has only two collaborative partners, one of which (Huawei) it is working\r\nwith to support Chinese intelligence services, the other, Guangdong ITSEC, which is actually a field site\r\nfor a branch of the MSS.\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 7 of 9\n\nGraphic displaying the relationship between the MSS and APT3.\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 8 of 9\n\nImpact\r\nThe implications are clear and expansive. Recorded Future’s research leads us to attribute APT3 to the Chinese\r\nMinistry of State Security and Boyusec with a high degree of confidence. Boyusec has a documented history of\r\nproducing malicious technology and working with the Chinese intelligence services.\r\nAPT3 is the first threat actor group that has been attributed with a high degree of confidence directly to the MSS.\r\nCompanies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the\r\nresources and technology of the Chinese government. In this real-life David versus Goliath situation, customers\r\nneed both smart security controls and policy, as well as actionable and strategic threat intelligence.\r\nAPT3 is not just another cyber threat group engaging in malicious cyber activity; research indicates that Boyusec\r\nis an asset of the MSS and their activities support China’s political, economic, diplomatic, and military goals.\r\nThe MSS derives intelligence collection requirements from state and party leadership, many of which are defined\r\nbroadly every five years in official government directives called Five Year Plans. Many APT3 victims have fallen\r\ninto sectors highlighted by the most recent Five Year Plan, including green/alternative energy, defense-related\r\nscience and technology, biomedical, and aerospace.\r\nSource: https://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nhttps://www.recordedfuture.com/research/chinese-mss-behind-apt3\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.recordedfuture.com/research/chinese-mss-behind-apt3" ], "report_names": [ "chinese-mss-behind-apt3" ], "threat_actors": [ { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434211, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38a5cc2d66914089971edbce1748bfe048527edf.pdf", "text": "https://archive.orkl.eu/38a5cc2d66914089971edbce1748bfe048527edf.txt", "img": "https://archive.orkl.eu/38a5cc2d66914089971edbce1748bfe048527edf.jpg" } }