Mandiant Intelligence Center Report

EncryptedBytes · Feb 28, 2013

http://intelreport.mandiant.com/

A very good read. At most those in defensive roles should check out the MD5 hashes ( In the appendix) of malware that APT1 has used as part of their attack methodology and scan your stuff.

Exec Summary

Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world.

The majority of these security breaches are attributed to advanced threat actors referred to as the “Advanced Persistent Threat” (APT). We first published details about the APT in our January 2010 M-Trends report.

As we stated in the report, our position was that “The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement.” Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.

Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as “APT1” and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1’s operations compelled us to write this report.

The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others.

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.
Click to expand...

BrandiCandi · Feb 28, 2013

If anyone on this forum finds anything on their computer that they can attribute to APT1, I would love to know about it.

I think all but the most negligent of AV vendors will add those hashes to their databases if they haven't already.

But I agree, I found it a great read.

ComputerSaysNo · Mar 1, 2013

Those crafty Chinese They seem like amateur's using crap exploits that idiot's actually click in their emails.

BrandiCandi · Mar 1, 2013

There's no need for a fancy exploit when a boring old crap one will do (why write your own exploit from scratch when your target is running Windows XP sp2? There are canned exploits guaranteed to work).

The crafty part comes in with the delivery. Convincing your target to click the email takes thought and research. You have to create an email message that looks legitimate from a source your target recognizes, and the content needs to appear normal.

Log in or Sign up

Mandiant Intelligence Center Report

EncryptedBytes Registered Member

BrandiCandi Guest

ComputerSaysNo Guest

BrandiCandi Guest

Log in or Sign up

Mandiant Intelligence Center Report

EncryptedBytes Registered Member

BrandiCandi Guest

ComputerSaysNo Guest

BrandiCandi Guest

Useful Searches