APT1: Exposing One of China’s Cyber Espionage Units

Mandiant has issued a new report focused on the most prolific cyber espionage group Mandiant tracks: APT1. This single organization has conducted a cyber espionage campaign against a broad range of victims since at least 2006. See also below a New York Times article re this Chinese cyber unit attacks on US companies and infrastructure and how they got in.

REPORT: APT1: Exposing One of China’s Cyber Espionage Units (pdf)

Highlights

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. The scale and impact of APT1’s operations compelled us to write this report. In an attempt to bolster defenses against APT1 operations Mandiant is also releasing more than 3,000 indicators as part of the appendix to this report, which can be used with our free tools and our commercial products to search for signs of APT attack activity.

Highlights of the report include:

  • APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
  • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations.
  • APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
  • APT1 maintains an extensive infrastructure of computer systems around the world.
  • In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
  • The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
  • In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
  • Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.

——————–

Chinese Army Unit Is Seen as Tied to Hacking Against U.S. (New York Times)

Unit 61398On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors.

The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398.

A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower. . . .

. . . While Comment Crew has drained terabytes of data from companies like Coca-Cola, increasingly its focus is on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks.

According to the security researchers, one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America.

The unit was also among those that attacked the computer security firm RSA, whose computer codes protect confidential corporate and government databases. . . .

. . . . Mandiant believes Unit 61398 conducted sporadic attacks on American corporate and government computer networks; the earliest it found was in 2006. Two years ago the numbers spiked.

Mandiant discovered some of the intrusions were long-running. On average the group would stay inside a network, stealing data and passwords, for a year; in one case it had access for four years and 10 months.

Mandiant has watched the group as it has stolen technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of its clients, mostly in the United States.

Mandiant identified attacks on 20 industries, from military contractors to chemical plants, mining companies and satellite and telecommunications corporations.

Mandiant’s report does not name the victims, who usually insist on anonymity. A 2009 attack on Coca-Cola coincided with the beverage giant’s failed attempt to acquire the China Huiyuan Juice Group for $2.4 billion, according to people with knowledge of the results of the company’s investigation.

As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy.

The attack on Coca-Cola began, like hundreds before it, with a seemingly innocuous e-mail to an executive that was, in fact, a spearphishing attack.

When the executive clicked on a malicious link in the e-mail, it gave the attackers a foothold inside Coca-Cola’s network. From inside, they sent confidential company files through a maze of computers back to Shanghai, on a weekly basis, unnoticed.

Two years later, Comment Crew was one of at least three Chinese-based groups to mount a similar attack on RSA, the computer security company owned by EMC, a large technology company. It is best known for its SecurID token, carried by employees at United States intelligence agencies, military contractors and many major companies. (The New York Times also uses the firm’s tokens to allow access to its e-mail and production systems remotely.) RSA has offered to replace SecurID tokens for customers and said it had added new layers of security to its products.

As in the Coca-Cola case, the attack began with a targeted, cleverly fashioned poisoned e-mail to an RSA employee. Two months later, hackers breached Lockheed Martin, the nation’s largest defense contractor, partly by using the information they gleaned from the RSA attack. . . . .

. . . .  But the most troubling attack to date, security experts say, was a successful invasion of the Canadian arm of Telvent.

The company, now owned by Schneider Electric, designs software that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems.

Telvent keeps detailed blueprints on more than half of all the oil and gas pipelines in North and South America, and has access to their systems.

In September, Telvent Canada told customers that attackers had broken into its systems and taken project files. That access was immediately cut, so that the intruders could not take command of the systems.

Martin Hanna, a Schneider Electric spokesman, did not return requests for comment, but security researchers who studied the malware used in the attack, including Mr. Stewart at Dell SecureWorks and Mr. Blasco at AlienVault, confirmed that the perpetrators were the Comment Crew.

This is terrifying because — forget about the country — if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent,“ Mr. Peterson of Digital Bond said. “It’s the holy grail.” . . . . . (Read all)

 

 

 

Testimonials
CI/SECURITY ARTICLES
Threats are Out There