Cyber espionage is a type of cyber attack that aims to steal sensitive and often classified information to gain an advantage over a company or government.

The group dubbed “APT1” or “Advanced Persistent Threat Group 1” is the most prolific and persistent APT group. They reportedly stole hundreds of terabytes of data and maintained access to victim networks for as long as 1,764 days.

APT1 IoCs and Trademarks

Cybersecurity professionals closely monitor APT groups, including APT1. IOC’s have the below

  • 88 domain names
  • 7 subdomains
  • 8 email addresses
  • 6 netblocks
  • 3 IP addresses

APT1 actors also tend to leave signatures in the weapons they use. For instance, the APT1 persona identified as “Ugly Gorilla,” notably imprinted the initials “UG” in the FQDNs or subdomains.

  • ug-opm[.]hugesoft[.]org
  • ug-co[.]hugesoft[.]org
  • ug-rj[.]arrowservice[.]net
  • ug-hst[.]msnhome[.]org
Domain Names and Associated IP Addresses

Of the 88 domain names publicly attributed to APT1, 28 remain active in the Domain Name System (DNS) as of 4 December 2020. Some of the domains were typosquats of legitimate companies, some of which are now the owners of the IoCs (likely as part of typosquatting protection strategies). These domains and their respective registrant organizations are:

  • arrowservice[.]net: Arrow Electronics, Inc.
  • mcafeepaying[.]com: McAfee LLC
  • msnhome[.]org: Microsoft Corporation
  • myyahoonews[.]com: Oath Inc.
  • yahoodaily[.]com: Oath Inc.

Of the remaining 23 APT1 domain IoCs, 19 were cited as “malicious” by VirusTotal and could already be blacklisted by most security systems. However, four of the domains are not tagged as such even if one is a CNN look-alike domain that cannot be attributed to the news organization.

Organizations may also want to revisit these IoCs and include them in their blacklists, as there is a possibility that they could be reused. The domain comrepair[.]net, for one, resolves to a malicious IP address.

Subdomains

There are subdomains that contain Ugly Gorilla’s signature. We used the string “ug-” and searched for subdomains containing the said text string. Some 590 subdomains that begin with the text string turned up, including the IoC ug-co[.]hugesoft[.]org.

Some of these subdomains could be innocent ones that only happen to begin with “ug-.” However, they are worth looking into, especially since APT1 notoriously signed their FQDNs with the said text string.


The APT1 group had seemingly become inactive. However, that doesn’t mean that they can’t entrust the weapons in their arsenal to other cyber attack groups. In fact, they may have already done so with their code. Aside from gleaning insights from blacklist sites, it may also be a good idea for organizations to revisit the group’s IoCs, check for recent suspicious activities, and uncover more domain and IP footprints.