Mandiant, the computer forensic and incident response firm that got called in following the recent breaches of the New York Times‘ and Wall Street Journal‘s networks, has issued a comprehensive report about a specific hacking group that they believe to be a unit of China’s People’s Liberation Army.
Dubbed APT1, this group is one of more than 20 APT groups with origins in China and has conducted cyber espionage campaigns against a “broad range of victims” since at least 2006.
In the last seven years, Mandiant’s researchers have analyzed nearly 150 breaches that they believe were conducted by the group, but they point out that these attacks represents only a small fraction of the total number of campaigns waged by APT1.
“From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures),” they shared in the report.
They claim that the hacker group is “able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support,” and that their analysis points to Unit 61398 of the People’s Liberation Army (PLA’s) being the APT1 group.
The building hosting the Unit is in same area from which APT1 activity appears to originate. “Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood,” Madiant CEO Kevin Mandia commented the denial issued by China’s Defence Ministry regarding the accuracy of the company’s findings.
Mandiant estimates that the Unit is staffed by at least hundreds (and possibly even more) people that are trained in computer security and computer network operations and are proficient in the English language.
“APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property,” they claim. “Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”
The group’s targets are mostly based in the U.S. and operate in 20 major industries (click on the screenshot to enlarge it):
Even though they have a non-disclosure policy in place regarding their investigations, Mandiant has decided to publish a “significant part” of their intelligence about Unit 61398 because they believe it is time to acknowledge the threat is originating in China.
“Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches,” they pointed out, adding that they are aware that this decision will lead to Unit 61398 to change their attack techniques and that will make them harder to track in the future.
“We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism,” they concluded.
The report is quite extensive, but well worth a read for anyone working in information security. You can download it here, and find out about APT1’s attack lifecycle, infrastructure, malware arsenal, the identities of some of its members, and more.
There is also a video that shows actual attacker sessions and their intrusion activities: