Overview
APT1, also known as Comment Crew or the Comment Group, was a Chinese cyber-espionage unit identified with high confidence by cybersecurity firm Mandiant as operating within the People’s Liberation Army’s Unit 61398, based at 208 Datong Road, Pudong New Area, Shanghai. Mandiant’s February 2013 report, the most detailed public attribution of state-sponsored hacking ever published at the time, documented seven years of systematic intrusions against at least 141 organisations across 20 industries — the overwhelming majority in English-speaking countries with a focus on the United States.
The report traced attacks to a 12-storey building in Pudong that housed Unit 61398, part of the PLA’s General Staff Department Third Department (signals intelligence). Mandiant released IP addresses, malware samples, operational timelines, and even footage of operators at their workstations. The publication was unprecedented: a private company publicly naming a specific military building in a foreign country as the source of cyberattacks against its clients.
Scale and Targets
Over seven years, APT1 stole hundreds of terabytes of data from organisations in aerospace, energy, telecommunications, IT, legal and financial services, media, and defence. The group maintained persistent access to victim networks for an average of 356 days; in one case access was maintained for 1,764 days — nearly five years. Twenty-two of the intruded organisations were in the aerospace and satellite sector; others included major US defence contractors, government-adjacent research organisations, and critical infrastructure operators.
APT1 used spear-phishing emails to gain initial access, deployed custom malware including WEBC2, BISCUIT, and GREENCAT, and tunnelled exfiltrated data through compromised infrastructure in multiple countries to obscure its origin. Mandiant analysts linked the activity to the GIF89 and Beijing-dialect Chinese language patterns observable in operational behaviour and malware comments — hence “Comment Crew.”
The Indictments
In May 2014, the US Department of Justice took the unprecedented step of indicting five named PLA officers — Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui — on 31 counts including computer fraud, economic espionage, and theft of trade secrets. It was the first time the US had indicted serving foreign military officers for cybercrime. All five remain in China and have never been extradited.
China’s government denied all allegations and temporarily suspended participation in a US-China cyber working group. The indictments were widely understood as a declaratory rather than prosecutorial instrument — signalling US willingness to publicly name state hackers rather than any expectation of trial.
Legacy
The APT1 report fundamentally changed the cybersecurity industry’s approach to threat intelligence. The practice of public, named attribution of state actors — now standard practice — traces directly to Mandiant’s 2013 decision. The report also led directly to the US government developing its own public attribution framework. Unit 61398’s Pudong building remains operational.