Today, The Mandiant® Intelligence Center™ released an unprecedented
report exposing APT1’s multi-year, enterprise-scale computer
espionage campaign. APT1 is one of dozens of threat groups Mandiant
tracks around the world and we consider it to be one of the most
prolific in terms of the sheer quantity of information it has
Highlights of the report include:
linking APT1 to China’s 2nd Bureau of the People’s Liberation Army
(PLA) General Staff Department’s (GSD) 3rd Department (Military
Cover Designator 61398).
- A timeline of APT1 economic
espionage conducted since 2006 against 141 victims across multiple
- APT1’s modus operandi (tools, tactics,
procedures) including a compilation
of videos showing actual APT1 activity.
timeline and details of over 40 APT1 malware families.
- The timeline and details of APT1’s extensive attack
Mandiant is also releasing a digital
appendix with more than 3,000 indicators to bolster defenses against
APT1 operations. This appendix includes:
delivery of over 3,000 APT1 indicators, such as domain names, and
MD5 hashes of malware.
- Thirteen (13) X.509 encryption
certificates used by APT1.
- A set of APT1 Indicators of
Compromise (IOCs) and detailed descriptions of over 40 malware
families in APT1’s arsenal of digital weapons.
- IOCs that
can be used in conjunction with Redline™,
Mandiant’s free host-based investigative tool, or with Mandiant
Intelligent Response® (MIR), Mandiant’s commercial
enterprise investigative tool.
The scale and impact
of APT1’s operations compelled us to write this report. The decision
to publish a significant part of our intelligence about Unit 61398
was a painstaking one. What started as a “what if”
discussion about our traditional non-disclosure policy quickly
turned into the realization that the positive impact resulting from
our decision to expose APT1 outweighed the risk of losing much of
our ability to collect intelligence on this particular APT group. It
is time to acknowledge the threat is originating from China, and we
wanted to do our part to arm and prepare security professionals to
combat the threat effectively. The issue of attribution has always
been a missing link in the public’s understanding of the landscape
of APT cyber espionage. Without establishing a solid connection to
China, there will always be room for observers to dismiss APT
actions as uncoordinated, solely criminal in nature, or peripheral
to larger national security and global economic concerns. We hope
that this report will lead to increased understanding and
coordinated action in countering APT network breaches.
recognize that no one entity can understand the entire complex
picture that many years of intense cyber espionage by a single group
creates. We look forward to seeing the surge of data and
conversations a report like this will likely generate.
Managing Director, Threat Intelligence