Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators

Today, The Mandiant® Intelligence Center™ released an unprecedented
report exposing APT1’s multi-year, enterprise-scale computer
espionage campaign. APT1 is one of dozens of threat groups Mandiant
tracks around the world and we consider it to be one of the most
prolific in terms of the sheer quantity of information it has
stolen.

Highlights of the report include:

• Evidence
  linking APT1 to China’s 2nd Bureau of the People’s Liberation Army
  (PLA) General Staff Department’s (GSD) 3rd Department (Military
  Cover Designator 61398).
• A timeline of APT1 economic
  espionage conducted since 2006 against 141 victims across multiple
  industries.
• APT1’s modus operandi (tools, tactics,
  procedures).
• The timeline and details of over 40 APT1
  malware families.
• The timeline and details of APT1’s
  extensive attack infrastructure.

Mandiant is also
releasing a digital appendix with more than 3,000 indicators to
bolster defenses against APT1 operations. This appendix
includes:

• Digital delivery of over 3,000 APT1 indicators,
  such as domain names, and MD5 hashes of malware.
• Thirteen
  (13) X.509 encryption certificates used by APT1.
• A set of
  APT1 Indicators of Compromise (IOCs) and detailed descriptions of
  over 40 malware families in APT1’s arsenal of digital
  weapons.
• IOCs that can be used in conjunction with Redline™,
  Mandiant’s free host-based investigative tool, or with Mandiant
  Intelligent Response® (MIR), Mandiant’s commercial
  enterprise investigative tool.

The scale and impact
of APT1’s operations compelled us to write this report. The decision
to publish a significant part of our intelligence about Unit 61398
was a painstaking one. What started as a "what if"
discussion about our traditional non-disclosure policy quickly
turned into the realization that the positive impact resulting from
our decision to expose APT1 outweighed the risk of losing much of
our ability to collect intelligence on this particular APT group. It
is time to acknowledge the threat is originating from China, and we
wanted to do our part to arm and prepare security professionals to
combat the threat effectively. The issue of attribution has always
been a missing link in the public’s understanding of the landscape
of APT cyber espionage. Without establishing a solid connection to
China, there will always be room for observers to dismiss APT
actions as uncoordinated, solely criminal in nature, or peripheral
to larger national security and global economic concerns. We hope
that this report will lead to increased understanding and
coordinated action in countering APT network breaches.

We
recognize that no one entity can understand the entire complex
picture that many years of intense cyber espionage by a single group
creates. We look forward to seeing the surge of data and
conversations a report like this will likely generate.

Dan
McWhorter

Managing Director, Threat Intelligence