APT1: Exposing a Chinese organization engaged in industrial cyber espionage

The company Mandiant submitted to the public its detailed report on the investigation of a large number of incidents involving unauthorized intrusions into the internal networks of various organizations and their computers around the world. The period of time for which these data were collected is impressive - 7 years. The report indicates that these cases were aimed at stealing all kinds of confidential information from these compromised organizations, and were also carried out by the same group . Mandiant concluded that a large organization of Chinese origin was behind a series of these attacks, and the intrusion into private networks of organizations themselves were carried out under the guise of the Chinese government and special services for seven years (!). Moreover, this organization, in fact, is the wing or division of the People’s Liberation Army of China. In our post, we present the conclusions that Mandiant has made over a seven-year period of analysis of the activities of this shadow organization. A detailed version of the report, including technical details, can be found here .



Introduction

Since 2004, Mandiant has been investigating computer security violations in hundreds of organizations around the world. We classify most of these violations as Advanced Persistent Threat, APT . We have already published our report on APT in 2010, which noted our position on the origin of these attacks, it was formulated as “The Chinese government could authorize this espionage activity, but there is no way to determine the extent of its involvement in this case ". Now, three years later, we have the necessary evidence to change our estimated opinion. We analyzed in detail hundreds of cases of violations that occurred in companies, and concluded that the cybercrime groups that engage in this activity are located primarily in China and the Chinese government knows about them .
')
Mandiant continues to track dozens of APT groups around the world, but this report focuses on the most prolific of these groups. We called this group APT1 and it is, in fact, one of more than twenty APT groups whose roots are in China. APT1 is an organization that carried out cyber-espionage operations against companies of a wide range of activities, and we recorded that these attacks had been conducted since at least 2006. According to our observations, this group is the most prolific in terms of the amount of information stolen by it. The scope and implications of the APT1 group are impressive.

The activity that we directly observed may be just a small part of the activity that APT1 did in reality. Although our research does not cover absolutely all the activities of this organization, we analyzed about 150 invasions over a period of 7 years. We also tracked the geographical location of the objects from which these invasions were carried out, their computer systems were located in Shanghai. We uncovered a significant number of infrastructure objects APT1, with which all activities were carried out, including management, teams and methods of work (tools, tactics). Several operators were identified who directly controlled these operations.

The analysis has led us to conclude that APT1 is most likely sponsored by the Chinese government and, moreover, is one of the most advanced such companies. We believe that APT1 is able to conduct long-term and extensive in-scope cyber espionage operations, largely because it receives direct government support. We tried to identify this organization and came to the conclusion that the 61398 Division of the People’s Liberation Army of China (People’s Liberation Army (PLA's) Unit 61398) is similar to the APT1 grouping in terms of its mission, capabilities and resources. PLA Unit 61398 is also located approximately in the same area from which we recorded APT1 activity.

Key findings

Find # 1
APT1 is one of the units of the People’s Liberation Army of China (PLA) (2nd Bureau of the People’s Liberation Army (PLa) General Staff Department’s (GsD) 3rd Department (总参 三 部 二 局)), which is most widely known by its military department Military unit Cover Designator (MuCD) as unit 61398 (61398).

• The nature of the activities of this unit 61398 is classified and is a state secret; however, we believe that this group is involved in illegal operations involving the penetration of other networks or systems.
• The central building 61398 is a 12-storey building, which was built in early 2007.
• We believe that in block 61398 there are hundreds and, possibly, thousands of people.
• The Chinese provider China Telecom has organized special high-speed communication lines based on optic-fiber infrastructure for this unit, this was done in the name of national security.
• Mandiant tracked APT1 activity in four major computer networks in Shanghai and found that two of them serve the base area of ​​61398.

Find # 2
The APT1 group systematically stole hundreds of terabytes of data from at least the 141st organization, and also demonstrated the ability to steal this data from dozens of organizations at the same time.

• Since 2006, Mandiant has discovered that APT1 has compromised 141 organizations that cover 20 major industries.
• APT1 has a well-defined attack methodology that has been honed over the years and was designed to steal large amounts of valuable intellectual property.
• Once the APT1 group accessed the victim’s network, they would occasionally return to this compromised network for several months or years and abduct a wide range of intellectual property information, including technology projects, data from closed production processes, test results, business plans, emails etc.
• APT1 uses some tools and techniques that we have not previously seen in the arsenal of other groups, including two tools that are designed to steal email - GETMAIL and MAPIGET.
• APT1 supports previously established access to the computer networks of victims for an average of 356 days. The longest period of time for which APT1 could gain access to the compromised network was 1764 days or 4 years and 10 months.
• Among other large-scale thefts that were attempted by APT1, we observed one case in which 6.5 terabytes of data were stolen from one organization, within 10 months of the attack.
• In the first month of 2011, APT1 successfully compromised at least 17 new victims who worked in 10 different industries.

Find # 3
The objectives of APT1 were organizations from a wide range of industries, and these were countries in which English is the main language.

• Of the 141 one-victim companies of APT1, in 87% of cases the headquarters of these companies were in English-speaking countries.
• Industries that were attacked through APT1 correspond to those industries that China identified as strategic for development, including four of the seven strategically important industries that China identified in its five-year plan.

Find # 4
APT1 has an extensive infrastructure that includes computer systems around the world.

• APT1 monitors thousands of systems through which unauthorized intrusions are carried out.
• In the past two years, we have observed that APT1 uses in its activity 937 command C & C servers, with which 849 different IP addresses are connected in 13 countries of the world. Most of these 849 addresses were registered in China (709) and the USA (109).
• Over the past three years, we have observed that APT1 used domain names that were broadcast to 988 unique IP addresses.
• For two years (the period from January 2011 to January 2013) we confirmed that the APT1 group made 1905 login attempts to its servers that were attacking companies, using 832 different IP addresses using the Remote Desktop tool .
• In the past few years, we have recorded 2551 domain names belonging to the APT1 servers.

Find # 5
The size of the APT1 infrastructure implies that it is a large organization with dozens, and maybe hundreds of human operators.

• The existing infrastructure of APT1, according to our estimates, includes more than 1000 servers.
• Given the scope, duration, and type of attack, the operators of APT1 should have been directly supported by linguists, researchers of open source products, authors of malware, experts in various industries; these people were supposed to help with the transfer of instructions from the requesting party to the operators themselves, as well as provide assistance in transferring the stolen information from the operator, back to the requesting party.
• APT1 would also need a significant number of IT staff responsible for supporting work computers, accounting, infrastructure and logistics management.

Find # 6
In an effort to emphasize that there are individuals who directly control computers, Mandiant identifies three people who are associated with APT1 activities.

• The first person, “UglyGorilla,” took an active part in APT1 operations since 2004. His activities included domain registration for APT1, and he is also the author of malicious software that is used by APT1 when executing attacks. UglyGorilla publicly expressed its interest in participating in the “cyber troops” of China in January 2004.
• The second character, whom we call “DOTA”, registered dozens of email accounts that were used to launch phishing attacks and social engineering techniques. “DOTA” used several phone numbers of Shanghai in the process of registering these accounts.
• We found that both UglyGorilla and DOTA both used the same domain names and IP addresses that APT1 uses.
• The third person, under the nickname “SuperHard”, is the creator of the families of such malicious programs as AURIGA and BANGAT, which we observed in the APT1 schemes and other APT groups. We note that “SuperHard” lived in Shanghai.

The find # 7
Mandiant has published over 3,000 compromise indicators that should help protect against operations conducted by APT1. In particular, this information includes:

• About 3 thousand APT1 indicators, including domain names, IP addresses and MD5 hashes of malware.
• Examples of Indicators of Compromise (Indicators of Compromise) and detailed descriptions of more than forty families of malware.
• Thirteen X.509 encryption certificates that were used by APT1.

We have little doubt about who is behind such large-scale and continuous attacks that were carried out on all kinds of industries. We believe that the body of evidence presented in this document is sufficient to state that APT1 is a division of 61398. However, we recognize that there is another, unlikely version. For example, in Shanghai there is another, secret, grouping similar to 61398, which has access to the Shanghai telecommunications infrastructure. This group also performs time-consuming cyber espionage operations.

Size and location of block 61398

We believe that the size of the buildings and office space for the 61398 group includes an area of ​​130,663 square feet of space and is designed for 2 thousand people.


Fig. The area of ​​the future base of the block (2006, before construction).


Fig. Built main block building (2008)


Fig. Main building block (main entrance).

The evidence we have gathered about the block, its goals and infrastructure show that:

• In the unit there are hundreds, perhaps thousands of employees.
• To work in the unit requires people who have been trained in the field of IT-security, operation of computer networks and good knowledge of English.
• The block possesses a large-scale, well-developed infrastructure of facilities in the “Pudong New Area” area in Shanghai.
• The unit was the beneficiary of a special fiber optic communications infrastructure, which was provided by the state-owned enterprise China Telecom under the auspices of national security.

APT1: years of espionage

Our research has shown that during its activities, since 2006, APT1 stole dozens of terabytes of data from at least the 141st organization working in various industries. It is noteworthy that we observed simultaneous attacks on these organizations by APT1. After the group established control over the victim’s internal network, it carried out data theft for several months or years. The stolen information, as a rule, included intellectual property, for example, drawings, schemes of the closed production processes, business plans, mail and many other things. We believe that the APT1 cyber espionage activities that we have been following are only a small part of this group’s activities.

Since 2006, we have seen that APT1 is constantly expanding access, compromising more and more victims. The figure shows the timeline of the 141st case of compromising various companies. Each item on this scale represents a separate sacrifice and records the date of the initial activity of APT1 in the organization’s computer network. We estimated that, on average, APT1 accessed the victim’s network for 356 days. The longest period of time for which the APT1 accessed the victim's computer network lasted at least 1,764 days or four years and ten months.

Fig. Concentration of APT1 attacks by year.

APT1 geography and focus on industry

The organizations that were primarily targeted by APT1 were mainly located in English-speaking countries. However, we also saw a small number of targets located in other countries other than English-speaking. We recorded that 87% of penetrations were carried out in companies whose headquarters were located in English-speaking countries. According to our statistics, 115 victims were located in the USA and 7 in Canada and England. In the case of the remaining 19 victims, 17 of them belonged to a group of countries for which English is the main language. These institutions include international companies, as well as foreign governments, in which English is the main language.


Fig. The geography of companies attacked by APT1.

APT1 demonstrated the ability to steal data from dozens of organizations that operate in a wide range of industries, with thefts from various organizations occurring at the same time period. The figure below gives an overview of the earliest known APT1 activity dates versus the 141st victim, which represent the 20 major industries. In the first month of 2011, we see that APT1 successfully compromised 17 new victims who worked in 10 different industries. Since we have already observed that the group remains active on each victim’s compromised network for an average of one year after the date of the initial compromise, we conclude that APT1 made 17 new intrusions while maintaining access to the networks of its previous victims.


Fig. A timeline representing the time stamps for the commencement of a compromise of the APT1 networks of various organizations in industries. The marks on the scale indicate the original date of the compromise.

We believe that the industries chosen for the attack by APT1 were not made by chance and correspond to China’s strategic priorities. Our observations confirm that APT1 focuses on at least four of the seven strategically important industries that China highlighted in its 12th five-year plan.


Fig. APT1 victims classified by industry.

Conclusion

It can be said without exaggeration that Mandiant has taken a new level of investigation of this kind. Here is the rule: if you need to publicly accuse the country, in this case China, of state-level cyber espionage, you must collect evidence for this. Apparently Mandiant succeeded. Mandiant’s report did indeed have the effect of a bombshell; at least, the public showed evidence, not rumors. The response from the security community was heterogeneous. For example, one may wonder about why the company made all this information public, or why AV companies, in this case, turned out to be partly powerless before such a level of threat, as regards the detection of malicious bodies. One week after the publication of the report, Syiant announced that it also monitored the activities of the APT1 group and published its indicators APT1. We still believe that in this case there is a collection of evidence and evidence of the involvement of the Chinese state-level organization in the business of industrial cyber espionage with a view to their subsequent publication to a wide audience . The word public here is the key, since it is possible to question (or maybe not) that the attacks mentioned in the Mandiant report were a real threat to the interests of the US national security (at least those involved in this operation concluded that publication of this report right now will benefit them).

The Wall Street Journal online.wsj.com/article/SB10001424127887323764804578313101135258708.html
NY Times www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html
arstechnica arstechnica.com/security/2013/02/unusually-detailed-report-links-chinese-military-to-hacks-against-us