Wednesday, February 20, 2013

Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators

Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators

Read more below.  It's pretty much mandatory reading for the IT security person.  Interesting facts and it may well help test your employees (of spear-phishing) and/or lock down your network.  This is probably the IT security news of the year...I'm scared to see anything that could top this.


I wanted to add my opinions to this post.

I'm a subscriber to Richard Bejtlich's TaoSecurity blog.  If you're not aware, he's the CSO of Mandiant.  He has my utmost respect because he CSO of a security firm and is still a hands-on person (read his blog to see what level of content he provides on a normal basis).  He also attends SANS events and is a trainer.  He understands network security monitoring as no one else does -- I broke into the IT security industry by accepting a network security monitoring position, and can relate to a lot of what he prints/states regarding a lot of his topics regarding NSM.  I've purchased (and read) at least one of his books.  I follow his Twitter posts.  I'm familiar with his experience within the civilian and federal IT security sectors.  I can relate to a lot of what he states (not saying I'm at the same level but he's certainly a mentor of mine).

He has been very vocal about APTs the last 4-5 years.  It's very obvious that he was watching APTs well before the recent APT1 report, without reading all the headlines and internet news (as well as the report itself).  Many people seem to think that he was over-zealous in the release of such data.  They think he is confirming that the culprit is China and is state-sponsored.  What I'm seeing is that the's providing the data that supports the claim, but isn't outright claiming it.  Whether this was state-sponsored or not, it will be extremely difficult to prove who was behind the attacks.  In most cases, if the attack isn't linked to a certain ideological group (ie, Anonymous for example) and that group isn't publicly acknowledging that they were responsible for the attack, a company will have an extremely difficult time proving the actual culprit with 100% accuracy.

I think Mandiant did a very good job in providing the extreme details regarding APT1.  I think that the details show that it is highly unlikely that the responsible party is not originating from China.  IP addresses alone don't prove their case, but they definitely went above and beyond in showing that there's data besides IP addresses that support the idea that the Chinese government is somehow involved (or, at very least, aware). There are only two unlikely scenarios (and one of them was mentioned in the report):  there is a non-government-sponsored group at the same location as APT1 that is responsible for the cyber-espionage incidents (mentioned in the report); or, APT1's network has been compromised by outside entities (outsiders are using their tools to attack financial, governments, and news organizations).  Both of those are highly unlikely, especially when factoring in the data of the Mandiant report.

My main thought is that if the organizations that were previously attacked had shared their information regarding their cyber-attacks, the IT sector would've benefited greatly and at least been aware of how to harden their employees and architecture.  It may not have stopped the attacks outright, but it certainly would've lessened the success of the methods that APT1 used in compromising networks.  Some security experts think that Mandiant made unconfirmed claims.  They did the best they could while still trying to determine the culprit...I challenge any other security firm to do the same.  Others think that they should've consulted the US government first, but I think all that would've done was mire the whole thing in typical bureaucratic red tape.  Some think that he has a hard-on for China -- this may or may not be true, but every real or couch security professional I know of has had some brush with anomalous and/or malicious packets from China...the fact that Mandiant provided a literal ton of detail to support the report is a plus, in my opinion.

They did good and I hope to see more of such reports in the future, whether it's from Mandiant or other companies.

Update 2:

A follow-up article, posted after the Mandiant report was posted:
Post a Comment