Report Links APTs to Chinese Government Group
While proving Chinese government involvement with the large number of APTs that appear to originate in China has been difficult, security firm Mandiant on Tuesday issued a detailed report with evidence that links one of the largest APT groups in the world-which it calls APT1-directly to China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department Military Unit Cover Designator 61398 (or Unit 61398 for short).
The report details how Unit 61398 has allegedly systematically stolen confidential data from at least 141 organizations across multiple industries-mostly in the English-speaking world.
"The scale and impact of APT1's operations compelled us to write this report," Dan Mcwhorter, Mandiant's managing director of Threat Intelligence, writes in a recent blog post.
"The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one. What started as a 'what if' discussion about our traditional nondisclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk of losing much of our ability to collect intelligence on this particular APT group," Mcwhorter adds.
"It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively," Mcwhorter writes. "The issue of attribution has always been a missing link in the public's understanding of the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns."
The picture painted by Mandiant's evidence is not of an uncoordinated organization with limited scope. According to Mandiant, APT1 is just one of more than 20 APT groups with origins in China, but it is one of the most prolific cyber espionage groups in terms of the quantity of information stolen.
APT1 Has Stolen Hundreds of Terabytes of Data
"The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted," the report notes. "Though our visibility of APT1's activities is incomplete, we have analyzed the group's intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1's attack infrastructure, command and control and modus operandi (tools, tactics and procedures)."
According to Mandiant, APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations spanning 20 major industries, and even has the capability to steal from dozens of organizations simultaneously. Mandiant said it observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a 10-month time period.
Sign up for Computerworld eNewsletters.