Skip to content

Mandiant report on APT1 & China’s cyber espionage units

by Pierluigi Paganini on February 19th, 2013
Mandiant_APT1

Early this month it was spread the news regarding a sophisticated cyber espionage campaign against principal media agencies in US, included NYT and Washington Post, the hackers have tried to compromise the email account of journalists to steal sensitive information. The campaign appeared very aggressive, the hackers have tried to infiltrate the network of the journal using 45 instances of targeted malware, as revealed by forensics analysis conducted by Mandiant security firm.

Mandiant experts observed that the hackers began work, for the most part, at 8 a.m. Beijing time operating for a standard work day, but the group of hackers has also attacks stopped for a couple of weeks periodically.

The New York Times reported:

“The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.”

Few weeks after The Mandiant® Intelligence Center™ released an shocking report that reveals an enterprise-scale computer espionage campaign dubbed APT1.  The term APT1 is referred to one of the numerous cyber espionage campaign that stolen the major quantity of information all over the world.

APT1_Activity

The evidences collected by the security experts link APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398) but what is really impressive is that the operations have been started in the distant 2006 targeting 141 victims across multiple industries.

TimeLine_APT1

Following the info provided on the famous “Unit 61398:

  • The nature of “Unit 61398’s” work is considered by China to be a state secret; however, we believe it engages in harmful “Computer Network Operations.”
  • Unit 61398 is partially situated on Datong Road (大同路) in Gaoqiaozhen (高桥镇), which is located in the Pudong  New Area (浦东新区) of Shanghai (上海). The central building in this compound is a 130,663 square foot facility  that is 12 stories high and was built in early 2007.
  • We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure.
  • China Telecom provided special fiber optic communications infrastructure for the unit in the name of national defense.
  • Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.
  • Mandiant has traced APT1’s activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.

During the attacks the attackers have took over APT1 malware families and has revealed by the report APT1′s modus operandi (tools, tactics, procedures) including a compilation of videos  showing actual APT1 activity.

The Mandiant has also identified more than 3,000 indicators to improve defenses against APT1 operations  and is releasing a specific document that will address them  including APT1 indicators such as domain names, IP addresses, and MD5 hashes of malware.

APt1 has systematically stolen hundreds of terabytes of data from victim organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.

Compromised_Industry

APT1 is a persistent collector,  once APT1 has established access, they periodically access to victim’s network stealing sensitive information and intellectual property for a long time, typically maintaining access to victim networks for an average of 356 days.

The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.

In the precious document the Mandiant will also propose:

  • Thirteen (13) X.509 encryption certificates used by APT1.
  • A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of over 40 malware families in APT1′s arsenal of digital weapons.
  • IOCs that can be used in conjunction with Redline™, Mandiant’s free host-based investigative tool, or with Mandiant Intelligent Response® (MIR), Mandiant’s commercial enterprise investigative tool.

Mandiant managers have decided to make an exception to its traditional non-disclosure policy due the risks related to the imposing cyber espionage campaign and its impact on global economy, many states and related industries are victims of the offensive.

Following a meaningful declaration of the security firm:

“It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively.  The issue of attribution has always been a missing link in the public’s understanding of the landscape of APT cyber espionage.  Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.  We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”

The cyber war has started a long time ago!

Pierluigi Paganini

Comments are closed.