The top 10 questions about the People’s Liberation Army’s cyber attacks

For years, observers have accused the Chinese government of supporting cyber espionage efforts to steal sensitive and valuable information from all manner of organizations, both in the public and private sector. The nature of cyber espionage, however, had made it difficult to point to a smoking gun that proves the Chinese government’s guilt once and for all.

Now IT security company Mandiant has released an extensive report titled “APT1: Exposing One of China’s Cyber Espionage Units,” in which the company argues that it is very likely that a cyber espionage outfit dubbed APT1 is, in fact, a branch of the Chinese military called PLA (People’s Liberation Army) Unit 61398. Though Mandiant acknowledges that its accusation isn’t entirely conclusive, the company lays out a compelling case for the government officials in the United States and abroad to take further action to determine if, in fact, China supports a worldwide cyber espionage ring, which has targeted hundreds of companies representing upward of 20 industries with sophisticated APTs (advanced persistent threats).

The news should also be a wake-up call for IT professionals that APTs are a serious threat to their organizations’ data and intellectual property — and it’s time to get serious about upgrading their defenses accordingly. Antivirus software and firewalls just don’t cut it anymore.

Following is a Q&A about what Mandiant found in its extensive study of APT1, including what APT1 does, who it targets, and why it’s most likely connected with the Chinese government.

What is APT1? APT1 is a cyber espionage organization based in China that has conducted APT campaigns against a broad range of victims across the globe since at least 2006. Mandiant observes that it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.

Is APT1 beyond a shadow of a doubt sponsored by the Chinese government? Mandiant is careful not to say outright that APT1 is definitively controlled by the Chinese government. Rather, the report states that “our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.”

But the answer does appear to be that yes, APT1 is a government organization, as Mandiant’s only alternative scenario reads rather tongue-in-cheek: “A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise-scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”

At the very least, the Chinese government is an accomplice to APT1’s activities in that it has turned a blind eye to them. The Chinese government is notorious for scrutinizing every bit of data that flows in and out of the nation’s “great firewall.” It’s tough to imagine Chinese officials simply haven’t noticed incident after incident of successful cyber breaches targeting organizations worldwide.

What connections has Mandiant identified between the Chinese government and APT1? Mandiant proposes that APT1 is, in fact, a branch of the Chinese military: People’s Liberation Army (PLA’s) Unit 61398. APT1 and Unit 61398 are similar in their mission, capabilities, and resources, according to Mandiant. What’s more, Unit 61398 “is also located in precisely the same area from which APT1 activity appears to originate.” Specifically, Mandiant said it has traced APT1’s activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.

Additionally, Mandiant found that China Telecom provides special fiber optic communications infrastructure for Unit 61398.

Finally, Mandiant points out that “in a State that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai. The detection and awareness of APT1 is made even more probable by the sheer scale and sustainment of attacks that we have observed. Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government.”

Who has APT1 targeted? The group targets organizations in predominantly English-speaking countries: Of the 141 APT1 victims Mandiant has identified, 87 percent are headquartered in countries where English is the native language. This includes 115 victims in the United States and seven in Canada and the United Kingdom.

In terms of industries, Mandian reports that the highest percentage of attacks targeted IT companies, followed by aerospace companies. However, the total list contains 20 industries, ranging from energy and transportation to chemicals and financial services.

The group steals a broad range of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership, according to Mandiant.

Mandiant estimated that APT1 steals as much as 6.5 terabytes of compressed data from a single organization over a 10-month time period and estimates the group has likely stolen hundreds of terabytes from its victims.

How is that stolen data used? Mandiant concedes that it does not have any direct evidence as to who receives data stolen by APT1 or how all that data is processed. However, the company believes that this stolen information can be used to “obvious advantage by the PRC and Chinese state-owned enterprises.”

As an example, Mandiant points to a data heist in 2008, targeting a company in the wholesale industry. “Over the following 2.5 years, APT1 stole an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the CEO and General Counsel. During this same time period, major news organizations reported that China had successfully negotiated a double-digit decrease in price per unit with the victim organization for one of its major commodities.

“This may be coincidental; however, it would be surprising if APT1 could continue perpetrating such a broad mandate of cyber espionage and data theft if the results of the group’s efforts were not finding their way into the hands of entities able to capitalize on them,” according to Mandiant.

How extensive is APT1’s infrastructure? According to Mandiant, APT1 controls thousands of systems in support of their computer intrusion activities. In the past two years, the company observed APT1 establish at least 937 command-and-control servers hosted on 849 distinct IP addresses in 13 countries: 709 were registered to organizations in China, and 109 were registered in the United States.

Between January 2011 and January of this year, Mandiant has confirmed 1,905 instances of APT1 actors logging into their attack infrastructure from 832 different IP addresses with Remote Desktop, which provides a remote user with access to a system.

Further, in the past several years, Mandiant has confirmed 2,551 FQDNs (fully qualified domain names) attributed to APT1.

How many people work for APT1? Mandiant estimates that APT1 has at least dozens, if not hundreds, or human operators. “Given the volume, duration, and type of attack activity we have observed, APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors,” according to Mandiant. “APT1 would also need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management, and logistics (e.g., shipping).”

How does APT1 breach a target network? APT1 has honed its attack methodology over the years to steal massive quantities of intellectual property. The group begins with aggressive spear phishing, proceeds to deploy custom digital weapons, and ends by exporting compressed bundles of files to China. One of APT1’s strengths is that its operators have a sufficiently strong grasp of the English language — a useful skill for duping end-users with socially engineered emails. What’s more, APT1 has worked on developing its digital weapons for more than seven years, so the organization rolls out software upgrades on a continual basis. “Their ability to adapt to their environment and spread across systems makes them effective in enterprise environments with trust relationships,” according to Mandiant.

For example, after duping a user to launch a malware-infected PDF, an APT1 attacker will install a backdoor, which is fairly typical for an APT attack. However, while APT1 intruders occasionally use publicly available backdoors, such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. Mandiant has documented 42 families of backdoors used by APT1 that are not publicly available.

How does APT1 maintain its presence on a victim’s network for so long? According to Mandiant, APT1 employs three primary techniques to remain entrenched in victim’s network. One approach is to install new backdoors on multiple systems as they claim more machines. That way, if one backdoor is detected and removed, attackers will still have access. “We usually detect multiple families of APT1 backdoors scattered around a victim network when APT1 has been present for more than a few weeks, according to Mandiant.

A second approach is to use valid VPN credentials to impersonate legitimate users. Mandiant has observed attackers using stolen usernames and passwords to log into victim networks’ VPNs when the VPNs are only protected by single-factor authentication.

The third approach is to log in to Web portals, using stolen credentials. This includes not only restricted websites, but also Web-based email systems, such as Outlook Web Access.

This story, “The top 10 questions about the People’s Liberation Army’s cyber attacks,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.