{
	"id": "bf9ae89b-891e-432f-b882-c4cef0d45075",
	"created_at": "2026-04-06T00:18:01.983756Z",
	"updated_at": "2026-04-10T03:26:15.934751Z",
	"deleted_at": null,
	"sha1_hash": "9b4b65eddf039e8180859efc0a993eb4d6d9326a",
	"title": "The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ's Findings on APT1 Intrusion Activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 124397,
	"plain_text": "The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms\r\nDOJ's Findings on APT1 Intrusion Activity\r\nBy by Fireeye Labs\r\nPublished: 2014-05-20 · Archived: 2026-04-05 22:27:27 UTC\r\nYesterday, the U.S. Department of Justice (DOJ) announced the indictment of five members of the Second Bureau\r\nof the People’s Liberation Army (PLA) General Staff Department’s Third Department, also known as PLA Unit\r\n61398.  This is the same unit that Mandiant publicly unmasked last year in the APT1 report. At the time it was\r\noriginally released, China denounced the report, saying that it lacked sufficient evidence. Following the DOJ’s\r\nindictment, however, China’s usual response changed from “you lack sufficient evidence” to “you have fabricated\r\nthe evidence”, calling on the U.S. to “correct the error immediately.” This is a significant evolution in China’s\r\nmessaging; if the evidence is real, it overwhelmingly demonstrates China's unilateral attempts to leapfrog years of\r\nindustrial development -- by using cyber intrusions to access and steal intellectual property.\r\nThe evidence provided in the indictment includes Exhibit F (pages 54-56), which shows three charts based on\r\nDynamic DNS data. These charts indicate that the named defendants (Unit 61398 members) were re-pointing their\r\ndomain names at a Dynamic DNS provider during Chinese business hours from 2008 to 2013. The China work\r\nday, particularly for government offices, is very predictable, as noted on this travel site:\r\n\"Government offices, institutions and schools begin at 8:00 or 8:30, and end at 17:00 or 17:30 with two-hour\r\nnoon break, from Monday to Friday. They usually close on Saturday, Sunday and public holidays.\"\r\nWhat Exhibit F shows is a spike of activity on Monday through Friday around 8am in Shanghai (China Standard\r\nTime), a roughly 2-hour lull at lunchtime, and then another spike of activity from about 2pm to 6pm. The charts\r\nalso show that there were very few changes in Dynamic DNS resolution on weekends.\r\nAt Mandiant (now a FireEye company), we can corroborate the DOJ’s data by releasing additional evidence that\r\nwe did not include in the APT1 report. In the APT1 report, we specified the following:\r\nOver a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors\r\nlogging into their hop infrastructure from 832 different IP addresses with Remote Desktop.\r\nOf the 832 IP addresses, 817 (98.2%) were Chinese and belong predominantly to four large net blocks in\r\nShanghai which we will refer to as APT1’s home networks.\r\nIn order to make a user’s experience as seamless as possible, the Remote Desktop protocol requires client\r\napplications to forward several important details to the server, including their client hostname and the client\r\nkeyboard layout. In 1,849 of the 1,905 (97%) APT1 Remote Desktop sessions we observed in the past\r\ntwo years, the keyboard layout setting was “Chinese (Simplified) — US Keyboard.”\r\nOne thing we did not originally provide was an analysis of the time of day and day of week that these 1,905\r\nRemote Desktop (RDP) connections occurred. However, when we look at these connections in bar chart format,\r\nhttps://web.archive.org/web/20210417085454/https://www.fireeye.com/blog/threat-research/2014/05/the-pla-and-the-800am-500pm-work-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html\r\nPage 1 of 3\n\nobvious patterns appear:\r\nFigure 1: APT1 Remote Desktop login times distributed by hour of day (China Standard Time)\r\nFigure 2: APT1 Remote Desktop login times distributed by day of week (China Standard Time)\r\nEssentially, APT1 conducted almost all of the 1,905 RDP connections from 2011 to 2013:\r\n(1) On week days (Monday through Friday),\r\n(2) between 8am and noon, 2pm and 6pm, and 7pm and 10pm CST.\r\nOn some occasions, APT1 personnel appear to have worked on weekends, but these are minor exceptions to the\r\nnorm. Consider the following evidence together for the 1,905 RDP connections:\r\nhttps://web.archive.org/web/20210417085454/https://www.fireeye.com/blog/threat-research/2014/05/the-pla-and-the-800am-500pm-work-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html\r\nPage 2 of 3\n\n98.2% of IP addresses used to log in to hop points (which help mask the real point of origin to victim\r\norganizations) were from Shanghai networks\r\n97% of the connections were from computers using the Simplified Chinese language setting\r\n97.5% of the connections occurred on weekdays, China Standard Time\r\n98.8% of the connections occurred between 7am and midnight China Standard Time\r\n75% occurred between 8am to noon or between 2pm to 6pm\r\n15% occurred between 7pm and 10pm\r\nThe simplest conclusion based on these facts is that APT1 is operating in China, and most likely in Shanghai.\r\nAlthough one could attempt to explain every piece of evidence away, at some point the evidence starts to become\r\noverwhelming when it is all pointing in one direction. Our timestamp data, derived from active RDP logins over a\r\ntwo year period, matches the DOJ’s timestamp data, derived from a different source -- active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal\r\nChinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are. \r\nThe data used to produce the charts above are archived in raw format and we are confident that any computer\r\nnetworking expert would certify them as genuine and non-fabricated in a court of law. But, that isn’t really the\r\nissue. The real issue is: will this activity continue and for how long? Regardless, FireEye remains focused on how\r\nthese threats evolve over time, in order to reduce the time from “detect” to “fix”, as these and other actors\r\ncontinue targeting potential victims.\r\nSource: https://web.archive.org/web/20210417085454/https://www.fireeye.com/blog/threat-research/2014/05/the-pla-and-the-800am-500pm-w\r\nork-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html\r\nhttps://web.archive.org/web/20210417085454/https://www.fireeye.com/blog/threat-research/2014/05/the-pla-and-the-800am-500pm-work-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20210417085454/https://www.fireeye.com/blog/threat-research/2014/05/the-pla-and-the-800am-500pm-work-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html"
	],
	"report_names": [
		"the-pla-and-the-800am-500pm-work-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html"
	],
	"threat_actors": [
		{
			"id": "dabb6779-f72e-40ca-90b7-1810ef08654d",
			"created_at": "2022-10-25T15:50:23.463113Z",
			"updated_at": "2026-04-10T02:00:05.369301Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"APT1",
				"Comment Crew",
				"Comment Group",
				"Comment Panda"
			],
			"source_name": "MITRE:APT1",
			"tools": [
				"Seasalt",
				"ipconfig",
				"Cachedump",
				"PsExec",
				"GLOOXMAIL",
				"Lslsass",
				"PoisonIvy",
				"WEBC2",
				"Mimikatz",
				"gsecdump",
				"Pass-The-Hash Toolkit",
				"Tasklist",
				"xCmd",
				"pwdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434681,
	"ts_updated_at": 1775791575,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b4b65eddf039e8180859efc0a993eb4d6d9326a.pdf",
		"text": "https://archive.orkl.eu/9b4b65eddf039e8180859efc0a993eb4d6d9326a.txt",
		"img": "https://archive.orkl.eu/9b4b65eddf039e8180859efc0a993eb4d6d9326a.jpg"
	}
}