The Comment Crew/APT1 Genealogy Project. Your Help Is Requested.

This is an open request for assistance in a project that I've taken on. The threat actor known as Comment Crew (aka Comment Panda, APT1, Soy Sauce, B... C..., ShadyRat, WebC2, GIF89a, and who knows how many other names) has been active for a long time. Since the Attorney General chose some alleged members of this crew to indict and send a message to the Chinese government, I think it would be helpful to establish its provenance and identify how many entities (government, military, and private sector) have contributed to what is known about them over the past 14 years or so.

Here are seven questions that I think will help build out this "family tree".  All contributors names will be kept completely confidential.

If you have additional questions that you think should be asked, feel free to suggest them and I'll update this post. Once there's enough information to build out a first iteration of a genealogy, I'll post it in an online Wiki for peer-review.

  1. To your knowledge, who first discovered this group, and what were the circumstances?
  2. When did you discover it? 
  3. What name do you use to identify it?
  4. What distinguishing characteristics do you use to differentiate it from other APT threat actors?
  5. Which public and private agencies/corporations do you share information about this group with?
  6. When information is shared about this group, have you noticed a difference in quality of data? 
  7. Do you have a data quality management plan for cyber threat intelligence at your company?

My contact information is here at the bottom of the web page. Just click the "Email" link. Thanks very much for your help.

Comments