APT1: Exposing One of China's Cyber Espionage Units
Homeland Security Digital Library Blog 2013-02-20
Summary:
Mandiant, a U.S. security firm, has published a report that links "China's military to cyberattacks on more than 140 U.S. and other foreign corporations and entities." The report, "APT1: Exposing One of China's Cyber Espionage Units," is the culmination of investigations over several years which provide evidence that an Advanced Persistent Threat (APT) group based in Shanghai, known as APT1, is responsible for the attacks. This group is identified "as a Chinese military unit within the 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, code named 'Unit 61398.'"
"APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, is is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen."
Industries targeted by APT1 also "match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan."
The size of APT1's infrastructure indicates that hundreds, and possibly thousands, of people work for this group, including "linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors."
"In an effort to illuminate the hackers behind such attacks, the report also include[s] personal details of three operators believed to be part of the unit, tracking them using accounts associated with the attacks," according to the Washington Post.
The decision to expose APT1 was a difficult one for the company: "What started as a 'what if' discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk to our ability to collect intelligence on this particular APT group. It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively."
Mandiant has also created an intelligence center for this report, where one can download not only the publication, but also the digital appendix and indicators, and a video of "actual APT1 attacker sessions and intrusion activities."