Latest news
Chinese Army unit is behind cyber espionage campaigns, researchers claim
Posted on 19 February 2013.
Mandiant, the computer forensic and incident response firm that got called in following the recent breaches of the New York Times' and Wall Street Journal's networks, has issued a comprehensive report about a specific hacking group that they believe to be a unit of China's People's Liberation Army.
Dubbed APT1, this group is one of more than 20 APT groups with origins in China and has conducted cyber espionage campaigns against a "broad range of victims" since at least 2006.
In the last seven years, Mandiant's researchers have analyzed nearly 150 breaches that they believe were conducted by the group, but they point out that these attacks represents only a small fraction of the total number of campaigns waged by APT1.
"From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures)," they shared in the report.
They claim that the hacker group is "able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support," and that their analysis points to Unit 61398 of the People’s Liberation Army (PLA’s) being the APT1 group.
The building hosting the Unit is in same area from which APT1 activity appears to originate. "Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood,” Madiant CEO Kevin Mandia commented the denial issued by China's Defence Ministry regarding the accuracy of the company's findings.
Mandiant estimates that the Unit is staffed by at least hundreds (and possibly even more) people that are trained in computer security and computer network operations and are proficient in the English language.
"APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property," they claim. "Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership."
The group's targets are mostly based in the U.S. and operate in 20 major industries (click on the screenshot to enlarge it):
Even though they have a non-disclosure policy in place regarding their investigations, Mandiant has decided to publish a "significant part" of their intelligence about Unit 61398 because they believe it is time to acknowledge the threat is originating in China.
"Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches," they pointed out, adding that they are aware that this decision will lead to Unit 61398 to change their attack techniques and that will make them harder to track in the future.
"We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism," they concluded.
The report is quite extensive, but well worth a read for anyone working in information security. You can download it here, and find out about APT1's attack lifecycle, infrastructure, malware arsenal, the identities of some of its members, and more.
There is also a video that shows actual attacker sessions and their intrusion activities:
Follow @zeljkazorz
Dubbed APT1, this group is one of more than 20 APT groups with origins in China and has conducted cyber espionage campaigns against a "broad range of victims" since at least 2006.
In the last seven years, Mandiant's researchers have analyzed nearly 150 breaches that they believe were conducted by the group, but they point out that these attacks represents only a small fraction of the total number of campaigns waged by APT1.
"From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures)," they shared in the report.
They claim that the hacker group is "able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support," and that their analysis points to Unit 61398 of the People’s Liberation Army (PLA’s) being the APT1 group.
The building hosting the Unit is in same area from which APT1 activity appears to originate. "Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood,” Madiant CEO Kevin Mandia commented the denial issued by China's Defence Ministry regarding the accuracy of the company's findings.
Mandiant estimates that the Unit is staffed by at least hundreds (and possibly even more) people that are trained in computer security and computer network operations and are proficient in the English language.
"APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property," they claim. "Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership."
The group's targets are mostly based in the U.S. and operate in 20 major industries (click on the screenshot to enlarge it):
Even though they have a non-disclosure policy in place regarding their investigations, Mandiant has decided to publish a "significant part" of their intelligence about Unit 61398 because they believe it is time to acknowledge the threat is originating in China.
"Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches," they pointed out, adding that they are aware that this decision will lead to Unit 61398 to change their attack techniques and that will make them harder to track in the future.
"We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism," they concluded.
The report is quite extensive, but well worth a read for anyone working in information security. You can download it here, and find out about APT1's attack lifecycle, infrastructure, malware arsenal, the identities of some of its members, and more.
There is also a video that shows actual attacker sessions and their intrusion activities:
Follow @zeljkazorz
Spotlight
Is it time to professionalize information security?
Posted on 23 May 2013. | The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
