Early this month it was spread the news regarding a sophisticated cyber espionage campaign against principal media agencies in the US, included NYT and Washington Post, the hackers have tried to compromise the email account of journalists to steal sensitive information. The campaign appeared very aggressive, the hackers have tried to infiltrate the network of the journal using 45 instances of targeted malware, as revealed by forensic analysis conducted by the Mandiant security firm.
Mandiant experts observed that the hackers began work, for the most part, at 8 a.m. Beijing time operating for a standard workday, but the group of hackers has also attacks stopped for a couple of weeks periodically.
The New York Times reported:
“The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.”
Few weeks after The Mandiant® Intelligence Center™ released a shocking report that reveals an enterprise-scale computer espionage campaign dubbed APT1. The term APT1 is referred to one of the numerous cyber espionage campaigns that stolen the major quantity of information all over the world.
The evidence collected by the security experts link APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398) but what is really impressive is that the operations have been started in the distant 2006 targeting 141 victims across multiple industries.
Following the info provided on the famous “Unit 61398:
During the attacks the attackers have took over APT1 malware families and has revealed by the report APT1′s modus operandi (tools, tactics, procedures) including a compilation of videos showing actual APT1 activity.
The Mandiant has also identified more than 3,000 indicators to improve defenses against APT1 operations and is releasing a specific document that will address them including APT1 indicators such as domain names, IP addresses, and MD5 hashes of malware.
APt1 has systematically stolen hundreds of terabytes of data from victim organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
APT1 is a persistent collector, once APT1 has established access, they periodically access to victim’s network stealing sensitive information and intellectual property for a long time, typically maintaining access to victim networks for an average of 356 days.
The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.
In the precious document the Mandiant will also propose:
Mandiant managers have decided to make an exception to its traditional non-disclosure policy due the risks related to the imposing cyber espionage campaign and its impact on global economy, many states and related industries are victims of the offensive.
Following a meaningful declaration of the security firm:
“It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively. The issue of attribution has always been a missing link in the public’s understanding of the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”
The cyber war has started a long time ago!
(Security Affairs – APT1, hacking)