Mandiant made the headlines last week when it released a report along with a video showing some damning proof of hacking attempts by what looks like organized Chinese hackers, along with details as to how they operate and the fact that they are backed by government agencies. In this report, the research firm exposes massive corporate espionage schemes along with many indicators that link these processes to a Chinese government office called Unit 61398.
Referring to these people as an Advanced Persistent Threat (APT), for seven years now, Mandiant has been monitoring the hacking activities against hundreds of organizations. Of course with the latest news from the New York Times, Wall Street Journal and Apple, all this month and all pointing at hacking attempts from China, the picture seems quite dark from the world’s most populous country. Let’s see what the current landscape looks like in the world of cyber attacks, and what this is likely to mean for the future.
In its report, Mandiant points at over 150 victims of this hacking group yet they say this is only one of over 20 different groups operating as a direct result of resources provided by Unit 61398. Calling this group APT1, researchers monitored the activities that they conducted from an office next to a government complex hosting Unit 61398 in Shanghai. All of this is done through a special link that China Telecom, the government owned national telecommunication company, provides in the name of “national defense”. The researchers observed APT1 break into at least 141 organizations spanning 20 industries, and they periodically revisit the same companies every few months in order to steal as many secrets as they can. The tools they use seem to be well known in the hacking underground and used by many Chinese based hacking teams. They have transferred many terabytes of stolen material, with 6.5TB coming from a single organization.
To be employed by APT1, one of the requirements is to speak English, and judging from all of its victims, the vast majority are in the English speaking world, which paints a clear picture of China’s intended targets. This is a vast campaign aimed at Europe and North America, with the US in particular, by highly trained individuals who have significant backing. The hacking group has over a thousand servers and dozens if not hundreds of individuals conducting the operations. Mandiant also tracked individual hackers by code names and the contributions they did to the hacking group, including phone numbers they used, email addresses they registered to send phishing emails, and malware code that they created (see the Ars Technica story about the coincidental help of Anonymous in possibly identifying individuals). Overall, the report is an eye opening account of the amount of online hacking that is going on from China.
What does it mean to you?
But while this release has made worldwide news and many people focused on the past actions of APT1, the report also includes some information that can be crucial for security pros in order to protect ourselves and our networks from such attacks. Mandiant states that one of the reasons for releasing all of this information is that they believe they have useful indicators as to how organizations can protect themselves from such Chinese attack squads.
After describing in length how the group operates and how they get a foothold into organizations, the appendix lists a lot of interesting information, including the network blocks that they use along with domain names. APT1 seems to have a very specific naming scheme for domains, going for easily recognizable names like newyorktimesnews.net, cnndaily.net, aolonline.com, cosplaymagazine.com and so on. It is clear that the intent here is to confuse users.
Some information disturbingly shows that they have made extensive use of online services to hide their tracks in an even smarter way. One example is creating hundreds of accounts at Dynamic DNS services, allowing them to have US based names on which to upload their malware. APT1 also makes extensive use of Google’s App Engine, with a lot of the hack attempts now being cloud-based and launched from appspot.com. Finally, it’s no longer the case that these hackers have their own Chinese based email accounts which could be fairly easily blocked. Instead, all of the screenshots provided show that they use proxies along with hundreds of Gmail and Yahoo accounts, with names that look like normal users, since these people already speak fluent English.
So what does all of this mean for a typical IT admin? Well, trouble for one thing. In the 90s we used to be confident that if we blocked IPs coming from some specific locations around the world, we would be relatively safe from hacking attempts. Now however, as we can see from this report, the landscape has changed completely. These groups are fully integrated on the net, they are using Google services like the rest of us, they have US based IPs, hostnames, email accounts, and are even embracing the cloud. This means blocking them is a whole other story, because they look like any other online user. Yet the fact that they managed to get into so many large organizations show that they have access to the latest malware, some that they write themselves and are thus undetectable.
Recently the President announced that the US would be expanding its cyber security forces, and last week issued an executive order. But these things won’t change much in the immediate future. The only real solution seems to be constant vigilance and a sharp increase in education. It seems more and more likely that if such a hacking group targets your particular organization, they will go to extraordinary lengths to get in, and only paranoia might save your network. The sad thing is that it doesn’t take much imagination to defeat current best practices that we all try and teach employees.
In one of the screenshots from the report, a sample email is shown where what appears to be a PDF document is included. Only the small, grey notice next to it saying “Application” might actually alert the user that this is not a PDF. By knowing the screen resolution that is likely to be used by the employee, and the email client used, it’s trivial for someone to realize how many characters will be shown on the screen. Then the attacker can name their binary file so that the filename is cut just at the right place, and instead of showing “filename.pdf.exe” it shows “filename.pdf [...]“. Add to that the Adobe logo next to it and you have an almost foolproof attack which very few non-technical users would spot.