Once APT1 has established access, it will periodically revisit the target's network over months or years to steal broad categories of IP, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from the target's leadership. It maintains access to victim networks for an average of 365 days; the longest time period was four years and 10 months.
Of the 141 victims known to Mandiant, 87 percent are headquartered in countries where English is the native language. Additionally, the industries targeted by APT1 match the industries China has identified as strategic to its growth.
Cyber Espionage Unit Could Have Thousands of Workers
Mandiant says its evidence has led it to connect APT1 to Unit 61398. Unit 61398's work is considered to be a state secret in China, but Mandiant believes it engages in harmful "Computer Network Operations." Mandiant notes that Unit 61398 requires its personnel be trained in computer security and computer network operations. It also requires its personnel to be proficient in English.
The group has a compound in the Pudong New Area of Shanghai. The central building of the compound is a 12-story, 130,663 square foot facility provided with special fiber optic communications infrastructure by China Telecom in the name of national defense. Based on the size of Unit 61398's physical infrastructure, Mandiant estimates it is staffed by hundreds and possibly thousands of people.
"Given the volume, duration and type of attack activity we have observed, APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators and people who then transmit stolen information to the requestors," the report notes. "APT1 would also need a sizable IT staff dedicated to acquiring and maintain computer equipment, people who handle finances, facility management and logistics (e.g., shipping)."
"The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group in China leaves little doubt about the organization behind APT1," the report says. "We believe the totality of evidence we provide in this document bolsters the claim that APT1 is Unit 61398. However, we admit there is one other unlikely possibility: A secret, resourced organization full of mainland Chinese speakers with direct access to Shangha-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398's gates, performing tasks similar to Unit 61398's known mission."
As part of the report, Mandiant released more than 3,000 APT1 indicators, including domain names, IP addresses and MD5 hashes of malware. It also released Sample Indicators of Compromise (IOCs) and detailed descriptions of more than 40 families of malware in APT1's arsenal as well as 13 X.509 encryption certificates used by the group. It also released compilation videos showing actual attacker sessions and their intrusion activities.
Sign up for Computerworld eNewsletters.