Advanced Persistent Threats (APTs) thrive in today’s work environment. From critical infrastructure to companies across the globe, breaches are occurring daily, and in most cases organizations are not even aware.
The simple answer is to always blame the Chinese for hack attempts, but true proof has never really existed. Until now.
Security company Mandiant issued a report after analyzing hundreds of investigations that show there are groups conducting APT activities they are primarily in China and that the Chinese Government is aware of them.
This Mandiant report focuses on the most prolific of these groups. Mandiant calls this group “APT1” and it is one of more than 20 APT groups with origins in China.
APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006, the report said. It is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.
The activity Mandiant observed represents a fraction of the cyber espionage APT1 has conducted. The group’s hacked into nearly 150 victims over a seven-year period, the report said. The company tracked APT1 back to four large networks in Shanghai, two of which are directly in the Pudong New Area.
After analysis, Mandiant found it is likely APT1 is government-sponsored and one of the most persistent of China’s cyber threat actors. In seeking to identify the organization behind this activity, Mandiant found People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also in precisely the same area from which APT1 activity appears to originate.
Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries. Here is some of Mandiant’s analysis:
• APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property.
• Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.
• APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email — GETMAIL and MAPIGET.
• APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.
• Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a 10-month time period.
• In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries.
The report also found APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
The industries APT1 went after include: Information technology; aerospace; public administration; satellites and telecommunications; scientific research and consulting; energy; transportation; construction and manufacturing; engineering services; high-tech electronics; international organizations; legal services; media, advertising and entertainment; navigation; chemicals; financial services; food and agriculture; healthcare; metals and mining, and education.
Of the 141 APT1 victims, 87 percent of them have headquarters in countries where English is the native language.
This includes 115 victims located in the U.S. and seven in Canada and the United Kingdom. Of the remaining 19 victims, 17 use English as a primary language for operations.
In addition, the industries APT1 targets match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.
APT1 steals a broad range of information from its victims, according to the Mandiant report. The types of information the group has stolen relate to:
• Product development and use, including information on test results, system designs, product manuals, parts lists, and simulation technologies
• Manufacturing procedures, such as descriptions of proprietary processes, standards, and waste management processes
• Business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures, and acquisitions
• Policy positions and analysis, such as white papers, and agendas and minutes from meetings involving highranking personnel
• Emails of high-ranking employees
• User credentials and network architecture information
To bring it a little closer to home, SCADA security company Digital Bond published a report of spear phishing against its company last June 2012. AlienVault provided analysis on the associated malware and indicators included in the report have been attributed as part of APT1 infrastructure, the report said.