ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
john.copeland@ece.gatech.edu
404 894-5177
Advanced Persistent Threat
Material excerpted from
Mandiant APT1 Report – www.mandiant.com/apt1
Feb. 22, 2013
APT1 has systematically stolen hundreds of terabytes of data from at
least 141 organizations, and has demonstrated the capability and intent
to steal from dozens of organizations simultaneously.
»» Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20
major industries.
»» APT1 has a well-defined attack methodology, honed over years and designed to steal
large volumes of valuable intellectual property.
»» Once APT1 has established access, they periodically revisit the victim’s network over
several months or years and steal broad categories of intellectual property, including
technology blueprints, proprietary manufacturing processes, test results, business plans,
pricing documents, partnership agreements, and emails and contact lists from victim
organizations’ leadership.
»» APT1 uses some tools and techniques that we have not yet observed being used by
other groups including two utilities designed to steal email — GETMAIL and MAPIGET.
***
»» Among other large-scale thefts of intellectual property, we have observed APT1
stealing 6.5 terabytes of compressed data from a single organization over a ten-month time
period.
»» In the first month of 2011, APT1 successfully compromised at least 17 new victims
operating in 10 different industries.
2/24/2013
Mandiant APT1 Report – www.mandiant.com/apt1
2
APT1 maintains an extensive infrastructure of computer systems around
the world.
»» APT1 controls thousands of systems in support of their computer intrusion
activities.
»» In the last two years we have observed APT1 establish a minimum of 937
Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries.
The majority of these 849 unique IP addresses were registered to organizations in China
(709), followed by the U.S. (109).
»» In the last three years we have observed APT1 use fully qualified domain names
(FQDNs) resolving to 988 unique IP addresses.
»» Over a two-year period (January 2011 to January 2013) we confirmed 1,905
instances of APT1 actors logging into their attack infrastructure from 832 different IP
addresses with Remote Desktop, a tool that provides a remote user with an interactive
graphical interface to a system.
»» In the last several years we have confirmed 2,551 FQDNs attributed to APT1.
2/24/2013
Mandiant APT1 Report – www.mandiant.com/apt1
3
Initial Reconnaissance
Study the target’s Web Pages, do Google and Bing searches.
Learn the names of employees, particularly executives and engineers.
Study them on social networks (YouTube, LinkedIn, Facebook, Twitter, … ).
Initial Compromise
Craft spear-phishing messages with Trojan Horse attachments, links, jpegs, …
- or Take advantage of a fortuitous compromise by a wide-spread exploit.
Establish Foothold
Add root kits and
backdoors.
Initial
Recon.
Maintain
Presence
Move
Laterally
Initial
Establish
Compromise Foothol
d
Escalate
Privileges
2/24/2013
Internal
Recon.
Mandiant APT1 Report – www.mandiant.com/apt1
Complete
Mission
(leave back
doors)
4
On some occasions,
unsuspecting email
recipients have replied to
the spear phishing
messages, believing they
were communicating with
their acquaintances.
It’s legit ->
2/24/2013
In one case a person
replied, “I’m not sure if
this is legit, so I didn’t
open it.” Within 20
minutes, someone in APT1
responded with a terse
email back: “It’s legit.”
Mandiant APT1 Report – www.mandiant.com/apt1
5
After creating files compressed via RAR, the APT1
attackers will transfer files out of the network in ways
that are consistent with other APT groups, including
using the File Transfer Protocol (FTP) or their existing
backdoors.
. rar
Many times their RAR files are so large that the
attacker splits them into chunks before transferring
them. Figure 19 above shows a RAR command with
the option “-v200m”, which means that the RAR file
should be split up into 200MB portions.
FIGURE 20: APT1 bundles stolen files into “rar” archives before moving data to China
2/24/2013
Mandiant APT1 Report – www.mandiant.com/apt1
6
Worth Noting
The APT has only collected information (commercial, government,
military), trying not to leave a trace of its presence.
Unlike gangster hacking organizations, there have been no deliberate
damages (deletion of data, denial of service, …) or demands for
payment.
The APT (and other nation-level organizations) have reconnoitered
Internet backbones and utility infrastructure networks, and have put
back doors and logic bombs in place. They are apparently developing
to capability to do extensive physical damage to the U.S. infrastructure
and economy if (or maybe, when) it becomes advantageous to do so.
Ref. "Cyberwar, the Next Threat to National Security, and What to Do
About It," by Richard C. Clark (2010).
2/24/2013
7