APT Chinese hacking- new Advance Persistent Threat revealed by new research

Further to Dyenamic Solutions’ post this week- Hackers are hunting for clues about you- the Comment Group new research by Mandiant has colloborrated and expanded on the threat that what appears to be Chinese state sponsered hacking and theft is Advanced, Persistent and a major Threat to English speaking businesses around the world.Both Napoleon and Machiavelli suggested that the key for success in war is to know and understand your enemy.

As such Dyenamic Solution reproduces the salient points of their latest report as a warning to you that YOU and any business should consider yourselves as a potential victim.

Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world:

The majority of these security breaches are attributed to advanced threat actors referred to as the “Advanced Persistent Threat” (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that “The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement.”

Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.

Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups.

We refer to this group as “APT1” and it is one of more than 20 APT groups with origins in China.

APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.

From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1’s operations compelled us to write this
report.

The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted.

Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years.

From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area.

We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures).

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors.

We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.

KEY FINDINGS
APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (总参三部二局), which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (61398部队).

APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.

APT1 focuses on compromising organizations across a broad range of industries in English speaking countries

APT1 maintains an extensive infrastructure of computer systems around the world.

In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.

The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.

The primary research can be found at:
https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators/

with the specific 76 page PDF report at
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf