Guest post: Lessons learned from the recent Mandiant report about APT1

Today’s post is a guest post from Megan Horner, Social Media Manager & Marketing Coordinator of trainACE. It is regarding a recent security report issued by Mandiant, entitled APT1: Exposing One of China’s Cyber Security Units.

Megan, take it away!

Lessons Learned From the Mandiant Report 

Recently, security company Mandiant released a report detailing the size and scope of Chinese hacking efforts, and there are two main takeaways from it: First, the sheer scale of the hacking as part of an effort backed by the Chinese government was eye-opening. Second, Mandiant provided an impressive level of detail, both in its description of the attacks and in its identification of the perpetrators, whose efforts, according to Mandiant, could largely be traced to a single army unit working in a single building just outside Shanghai.

Security professionals can take several lessons from the report, but the lessons are not as much about threats of unprecedented technical sophistication – although these threats are by no means crude – as they are about the scale of the attacks, their persistence and the level of organization behind them.

In fact, the report tells of story of an effort that could serve as the very definition of an Advanced Persistent Threat (APT) and Mandiant itself refers to one of the more than 20 groups allegedly involved as APT1.

One advanced aspect of the threat is its location within the Chinese government, where it emanates from a unit of the People’s Liberation Army called Unit 61398. As a military unit, this is a group with access to enormous resources. It is blessed with its own special link to government-owned China Telecom, although this relationship is cloaked in its general classification as a part of generic “national defense.”

APT1 alone may employ hundreds of individuals and, according to Mandiant, it certainly deploys more than 1,000 servers in its mission. This is not a small-scale, back-room operation run by a few hackers who do business on a hit-or-miss basis. If you’re wondering about its targets, one clue is that APT1 recruits only people who speak English. Clearly, the United States is at the top of the group’s hit list, and Mandiant’s findings bear that out, with the bulk of the attacks targeted at the English-speaking world.

Mandiant claims that APT1 alone has accessed no fewer than 141 companies in 20 different industries, and the group is not content to hack once and move on. Once visited, an organization can expect to see APT1 again every few months. One organization, the report says, has seen some 6.5 terabytes of data go out the door. This is a textbook example of a threat that is persistent.

There is more than enough bad news in the Mandiant report to keep security professionals awake at night.

First of all, these hackers are completely at home in the cloud and they are adept at concealing their origins and identities. The use Dynamic DNS to avail themselves of U.S. names that look completely innocent to ordinary users.

They use proxies and hundreds of Yahoo and Gmail accounts that look equally innocent, a means of disguise aided and abetted by their fluency in English. They use Google services and the Google App Engine for their exploits. Gone are the days when an administrator could feel safe after blocking suspect IPs in bulk. The hackers at APT1 are largely indistinguishable from ordinary users going about their harmless daily business.

If all that is not enough to give security professionals some sleepless nights, don’t forget that these hackers are equipped with the latest, best and least-detectable malware out there, and that if existing products fail to do the job, they’re more than capable of writing highly effective malware of their own.

The Department of Defense recently announced a new cyber-defense initiative. While welcome, that kind of initiative takes time to have an impact. For now, the best approach may be, sadly, an increased level of paranoia in the cyber security ranks. User education needs additional attention and administrative vigilance must be constant and unflagging. Remember that the hackers at APT1 are nothing if not persistent: If they’ve visited once, they’ll be back, just waiting for you to relax your guard.


About the Author


This is a guest post from Megan Horner, Marketing Coordinator at TrainACE. TrainACE offers cyber security classes from baseline to advanced, including CompTIA Security+ all the way to Advanced Exploit Development.



Comments (0)

Skip to main content