One of the news most important shared on the internet this week it the one related to the indictment announced by US Department of Justice (DOJ) on five members of PLA Unit 61398.
One year ago Mandiant experts deeply analyzed the activities of the Chinese cyber unit in the APT1 report, the study aroused great indignation on the part of the government of Beijing.
Also in this case China accused US to have fabricated the evidence requesting to American authorities to “correct the error immediately.”
If the facts will be confirmed the China is considerable responsible for years of cyber espionage to steal industrial secrets and intellectual properties from US companies.
In a blog post experts at FireEye analyzed the content of the indictment highlighting that evidence provided includes Exhibit F (pages 54-56), which shows three charts based on Dynamic DNS data.
The charts indicate Unit 61398 operators were re-pointing their domain names at a Dynamic DNS provider during Chinese business hours in the period from 2008 to 2013.
“Government offices, institutions and schools begin at 8:00 or 8:30, and end at 17:00 or 17:30 with two-hour noon break, from Monday to Friday. They usually close on Saturday, Sunday and public holidays.”
“What Exhibit F shows is a spike of activity on Monday through Friday around 8am in Shanghai (China Standard Time), a roughly 2-hour lull at lunchtime, and then another spike of activity from about 2pm to 6pm. The charts also show that there were very few changes in Dynamic DNS resolution on weekends.” states FireEye.
Mandiant – FireEye experts are corroborating the evidence by releasing additional data not included in the APT1 report. The APT1 report included the following data, we specified the following:
The report APT1 did not originally include analysis of the time of day and day of the week that these 1,905 Remote Desktop (RDP) connections occurred. In the following char is evident that activities were conducted during Chinese business hours, in some isolated cases, APT1 members have worked during weekends.
The timestamp data used for the above analysis derived from active RDP logins over a two year period, it exactly matches the DOJ’s timestamp data elaborated from a different source.
“These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are. “
The “attribution” of responsibility for a cyber attacks is very difficult, and also this last collection of data are not sufficient to exclude that a third government has used same means and method typically associated with China-based hackers. The fact that hackers have worked in Chinese business hours is a further evidence, but intelligence of any other government could have easily used it as a diversionary strategy.
Given this, it is clear that all the evidence collected so far leaves no doubt about the nature of the attacks.
(Security Affairs – FireEye, APT1)