Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators

Today, The Mandiant® Intelligence Center™ released an unprecedented
report
exposing APT1’s multi-year, enterprise-scale computer
espionage campaign. APT1 is one of dozens of threat groups Mandiant
tracks around the world and we consider it to be one of the most
prolific in terms of the sheer quantity of information it has
stolen.

Highlights of the report include:

  • Evidence
    linking APT1 to China’s 2nd Bureau of the People’s Liberation Army
    (PLA) General Staff Department’s (GSD) 3rd Department (Military
    Cover Designator 61398).
  • A timeline of APT1 economic
    espionage conducted since 2006 against 141 victims across multiple
    industries.
  • APT1’s modus operandi (tools, tactics,
    procedures) including a compilation
    of videos showing actual APT1 activity
    .
  • The
    timeline and details of over 40 APT1 malware families.
  • The timeline and details of APT1’s extensive attack
    infrastructure.

Mandiant is also releasing a digital
appendix with more than 3,000 indicators to bolster defenses against
APT1 operations. This appendix includes:

  • Digital
    delivery of over 3,000 APT1 indicators, such as domain names, and
    MD5 hashes of malware.
  • Thirteen (13) X.509 encryption
    certificates used by APT1.
  • A set of APT1 Indicators of
    Compromise (IOCs) and detailed descriptions of over 40 malware
    families in APT1’s arsenal of digital weapons.
  • IOCs that
    can be used in conjunction with Redline™,
    Mandiant’s free host-based investigative tool, or with Mandiant
    Intelligent Response® (MIR)
    , Mandiant’s commercial
    enterprise investigative tool.

The scale and impact
of APT1’s operations compelled us to write this report. The decision
to publish a significant part of our intelligence about Unit 61398
was a painstaking one. What started as a “what if”
discussion about our traditional non-disclosure policy quickly
turned into the realization that the positive impact resulting from
our decision to expose APT1 outweighed the risk of losing much of
our ability to collect intelligence on this particular APT group. It
is time to acknowledge the threat is originating from China, and we
wanted to do our part to arm and prepare security professionals to
combat the threat effectively. The issue of attribution has always
been a missing link in the public’s understanding of the landscape
of APT cyber espionage. Without establishing a solid connection to
China, there will always be room for observers to dismiss APT
actions as uncoordinated, solely criminal in nature, or peripheral
to larger national security and global economic concerns. We hope
that this report will lead to increased understanding and
coordinated action in countering APT network breaches.

We
recognize that no one entity can understand the entire complex
picture that many years of intense cyber espionage by a single group
creates. We look forward to seeing the surge of data and
conversations a report like this will likely generate.

Dan
McWhorter

Managing Director, Threat Intelligence