Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Mandiant APT1 report, some unanswered questions.

Posted February 21, 2013    Marc Maiffret

For the last several years there has been an increasing number of accusations being made against China and its military as being behind the systematic targeting of organizations throughout the world in a sophisticated hacking campaign to steal data and access to further China’s economic, military and social agendas. These accusations come from a mass of security industry researchers, government officials, and even victim organizations themselves. Throughout all of the claims and data provided, there has yet to be concrete evidence that proves China is indeed behind these vast attacks. This is due in part to the difficult task of attributing a specific person, group or country to a given attack.

This week the landscape of attribution in these attacks has seemingly shifted into not one of opinion of China’s involvement but rather unmistakable evidence of their involvement; if not still slightly betting on the principle of Occam’s razor. The catalyst for this change was a research report released by security firm Mandiant. Within the 74 page report by Mandiant is one of the clearest cases yet to be made as to the involvement of China in the continuing spree of hacking attacks targeting some of the world’s most important organizations.

At the heart of Mandiant’s evidence are statistically heavy assertions that a vast number of the attacks they have investigated lead back to systems in China, and more specifically, to four large computer networks in Shanghai. This includes two of the four networks which reside within the Pudong New Area of Shanghai which happens to house China’s People’s Liberation Army (PLA’s) Unit 61398. Mandiant goes on to further show Unit 61398 as being part of a cyber-arm of the Chinese military and as such leaving the reader with the choice of believing a sophisticated multi-year enterprise wide hacking spree has been happening right under the nose of one of the most “big brother” regimes in history or the more likely idea that in fact Unit 61398 is specifically the government sanctioned organization behind these hacking attacks.

Their data in pointing the finger at Unit 61398 does not stop at simply the coincidence of network location. It is well understood in the security industry that an attacker can cover their tracks and hop through many countries and networks until they reach their final destination. Mandiant, however, removes doubt by providing information that shows the hackers behind these attacks do not only seemingly originate near or at Unit 61398’s location but that the hackers appear to predominantly leverage Chinese language computer systems in performing their attacks. This further removes doubt of who the bad actors are in these attacks, as it would be extremely operationally intensive for a non-Chinese actor, such as a rogue hacker group in another country or foreign government, to employ the number of Chinese reading and writing hackers as Mandiant claims are behind these attacks.

While the report provides the most concrete public assessment to date as to China’s involvement in widespread computer attacks, it also introduces a lot of questions that need to be answered. A lot of these unanswered questions center around not who was behind the attacks or what they did after successfully breaching computer networks, but how these attackers were able to compromise some of the most important organizations in the world.

There is a systemic problem within the computer security industry; as an industry we are really good at saying what the bad guys do once they get in but rarely are we good at saying how they got in. The Mandiant report does offer some data on how companies were targeted and compromised. That data is largely around examples of companies being compromised via malicious email attachments and vague references to web based attacks. Had the report been only about attribution to China without mention of these attack vectors, then one might not need to pose these questions.

The most concrete examples of attacks were those around emails that were specialty crafted for their intended targets. These emails were crafted to be believable emails that a target would have some level of trust with and therefore follow through in opening the attachment included within the email. The email attachments were typically compressed zip archives that contained executable programs, which sometimes appeared, based on the programs icon file image, to be Adobe Reader documents. Once a victim opened and executed one of these attachments, malware would be downloaded to the victim’s system to give attackers remote access to do as they pleased.

This style of email attachment attack where by an attacker embeds a malicious program within a compressed zip file and tricks a user into executing it is nothing new. In fact, in the 90’s, this style of attack was so prolific it forced Microsoft in ~1998 to change the behavior of their popular Outlook email program to disallow the receiving of executable attachments by default. While Outlook can still receive executable attachments within compressed zip files, it is a long known security best practice for companies to deny inbound executable attachments, even when they are within compressed zip files. This is something that even popular email services such as Google’s Gmail do by default both for executables and executables within zip files.

There is no debate that attackers will always use their most basic attacks to compromise systems as there is no point in exposing your best tools when you do not need to. There is also not much doubt that your average computer user can easily be duped into opening and running attachments. That is why even everyday cybercrime attacks employ these same attack methods, knowing that your average home user is not behind any corporate security perimeter with a basic level of security filtering in place. But the computers presumably targeted by the Chinese military are not your average consumer computers, rather those at organizations of interest to the Chinese government.

If one were to base a conclusion from the attack data supplied within the Mandiant report, they would be left with concluding that some of the most important organizations within the United States and elsewhere fell victim to the Chinese military because these organizations failed to implement 1990’s security best practices on email attachment—filtering of executables and executables within compressed zip files.

There are alternative conclusions, such as Mandiant having simply chosen to give only data on the unsophisticated examples of attacks the Chinese perform, while keeping their knowledge of the more sophisticated attacks out of the report. There is also the possibility that China’s Unit 61398 is their less sophisticated group or a combination of both entry-level and advanced hackers.

Mandiant gives examples of different personas they tracked related to these attacks. In some cases, the personas show a lack of operational security to the extent of reusing the same online identities and signatures within public forums and security sites and also within some of the specific malware created by the Chinese hackers Mandiant describes. Those basic mistakes are not in line with sophisticated attackers, rather those that would employ such basic email attachment attacks.

It is without a doubt that China, like every other modern nation, has talented hackers and sophisticated attack tools not mentioned in this Mandiant report. It is also without doubt that one can conclude Mandiant has unleashed with this report a tidal-wave of organizational review within the Chinese military that will lead to the bettering of their capabilities and operational safeguards. One can only assume what level of review and organizational changes victims of Unit 61398 have done, especially those unable to prevent the basic email attachment attacks.

In Mandiant’s report, they include a memo from China Telecom. The memo, within a single page, makes a case and asks for the expedient approval of telecommunications needs of Unit 61398 to be able to perform their mission. The simplicity in which this was proposed, and one assumes approved, is probably the most important take away in all of this. When you get beyond the technical whodunit and how, the determining factor in winning this race is being able to make the right decisions quicker than one’s opponent. Colonel John Boyd would surely be hugely disappointed in us.

, , , ,

Leave a Reply

Additional articles


6 things I like about Gartner’s Cyber Resiliency Strategy

Posted August 27, 2015    Nigel Hedges

There were 6 key principles, or recommendations, that Gartner suggested were important drivers towards a great cyber resiliency posture. I commented more than once during the conference that many of these things were not new. They are all important recommendations that are best when placed together and given to senior management and the board – a critical element of organisations that desperately need to “get it”.


Why Customers Choose PowerBroker: Flexible Deployment Options

Posted August 26, 2015    Scott Lang

BeyondTrust commissioned a study of our customer base in early 2015 to determine how we are different from other alternatives in the market. What we learned was that there were six key differentiators that separate BeyondTrust from other solution providers in the market. We call it the PowerBroker difference,

, ,

On Demand Webinar: Security Risk of Mac OS X in the Enterprise

Posted August 20, 2015    BeyondTrust Software

In the last several years, Mac administrators have come to realize that they may be just as vulnerable to exploits and malware as most other operating systems. New malware and adware is released all the time, and there have been serious vulnerabilities patched by Apple in the past several years, some of which may afford attackers full control of your systems.

, ,