2013-05 Mandiant APT1 and M-Trends Overview for ISC2 Boston

APT1 & M-Trends 2013
PRESENTED BY: Grady Summers
© 2013 Mandiant Corporation. All rights reserved.
MAY 9, 2013
At Mandiant We Live the Headlines
Experts in Advanced Targeted Threats
• Incident responders to the biggest breaches
• We train the FBI & Secret Service
• Our CEO wrote the book (literally) on incident response
Our Products Are Based on Our Experience
• Built to fill a gap for incident responders
• We use our own products in our investigations
• SC Magazine 2012 & 2013 “Best Security Company”
Best Security
Company
Nationwide Presence
• 350+ employees
• Offices in DC, New York, LA, San Francisco, and
Albuquerque
2
Free Resources
 Free tools







Redline
IOC Editor
IOC Finder
Memoryze
Memoryze for Mac
Highlighter
Web Historian
 Resources
 M-Trends
 M-Unition
 blog.mandiant.com
 Forums
 Forums.mandiant.com
 Education
 Black Hat classes
 Custom classes
 Webinar series
3
Anatomy of a Targeted Attack
Attackers Move Methodically to Gain
Persistent & Ongoing Access to Their Targets
• Backdoor variants
• VPN subversion
Maintain
Presence
Move
Laterally
• Sleeper malware
Initial Compromise
Establish Foothold
Escalate Privileges
Internal Recon
• Net use
commands
• Reverse shell
access
Complete Mission
• Social engineering
• Custom malware
• Credential theft
• Critical system recon
• Staging servers
• Spear phishing e-mail
with custom malware
• Command and control
• Password cracking
• Data consolidation
• 3rd party application
exploitation
• “Pass-the-hash”
• System, active directory &
user enumeration
• Data theft
At organizations where Mandiant responded to a targeted attack in the last
year, the typical attacker went undetected for 273 days.
4
Visibility is critical
Maintain
Presence
Initial Compromise
Unauthorized
Use of Valid
Accounts
Establish Foothold
Known &
Unknown
Malware
Escalate Privileges
Command &
Control Activity
Suspicious
Network Traffic
Move
Laterally
Internal Recon
Files Accessed
by Attackers
Valid Programs
Used for Evil
Purposes
Complete Mission
Trace Evidence
& Partial Files
EVIDENCE OF COMPROMISE
Of all of the compromised machines Mandiant
identified in 2011, only 54% had malware on them.
5
Inside APT 1
Background
 Monday, February 18, 2013 Mandiant released
intelligence report on threat group: APT1
 Linked APT1 to PLA unit 61398
 Provided hard evidence
 Released 3000+ immediately actionable indicators of
compromise





OpenIOC format
Malware reports
IPs/domain names
MD5s
SSL Certificates
 5 minute video showing footage of the attacker in action
 Set the bar for actionable intelligence sharing
The People
 ~30 core people worked on
actual report




Threat Intelligence
IOCs
M-Labs
Marketing, legal, execs…
 Significant effort to validate
and consolidate data (and
conduct open source
research) under tight
deadline
 Though the “surge” was
intense, it was made
possible by 7 years of
previous research
8
Why?
 Prolific
 Volume of data stolen
 Comprehensive understanding of tools, tactics, and
procedures
 Example of actionable information sharing
 The timing felt right
 Traffic Light Protocol (TLP): Green indicator disclosure
 Not as intel-sensitive as other groups
APT 1 – Targets by Industry
APT 1 – Victims by Country
APT 1 – Impact
APT 1 – Command and Control Infrastructure
Criticisms
 We’ve received lots of it!




Why do you always pick on China?!
Focusing on the country of origin is the wrong issue
Don’t focus on the attacker, focus on your defenses
Mandiant disclosed sensitive intel and ruined intelligence
operations
 Publicity stunt
Accuracy
 CNN video shows military chasing CNN vehicle near the
building while filming
https://www.youtube.com/watch?v=yG2ezzLHSD0
 Sen. Feinstein, Chairman Senate Intelligence
Committee:
 “I read the Mandiant report. I've also read other reports,
classified out of Intelligence, and I think the Mandiant
report, which is now unclassified, it's public, is essentially
correct,”
http://thehill.com/blogs/global-affairs/terrorism/284721-intel-chairwoman-report-on-chinas-cyber-war-unitessentially-correct
Accuracy – Netizen Research
 DOTA phone number discovered used in 2009 for apartment
rental – 600 feet from unit 61398.
 SuperHard_M (aka Mei Qiang) likely studied at famous PLA
Information Engineering University in 2005.
 2004 recruitment notice on Zhejiang University website
advertising for “Unit 61398 of China’s PLA (located in Pudong
District, Shanghai) seeks to recruit 2003-class computer
science graduate students.”
 LA Times found blog of possible 61398 worker:
http://lat.ms/12OATUY
https://www.mandiant.com/blog/netizen-research-bolsters-apt1-attribution
APT1 – Reaction after a week
 Monday 2/18 – Business as usual
 Report is released at 10 PM EST – 11 AM CST
 Tuesday 2/19 – Clear signs of action plan being invoked





Domains getting parked
WHOIS registry getting changed
Backdoor/tools removed
Staging/working directories cleared
New backdoors implanted (leverage public communications
channels – hotmail/gmail/MSN)
 MACROMAIL malware from APT1 report
 Today: many indicators changed, but otherwise business as
usual
APT1 vs. APT12
 NY Times disclosed internal name APT12
 Tools:
 APT1 – WEBC2, public communication channels, noisy
 APT12 – DNS calc, cmdline backdoors, more stealthy
 Data theft:
 APT1 – everything
 APT12 - discriminating
 Skill:
 APT1 – good enough, large range of skillsets
 APT12 – more skilled
 Industries targeted:
 APT1 – everything
 APT12 – satellite, crypto, media
M-Trends 2013
Targeted industries
Compromise Detection
Dwell Time
Trend #1 – Outside In
 When targeted organizations
increase their prevention and
detection capability, weaker
service providers and partners
become targets
 Mandiant investigated several
organizations that had been
compromised through 3rd party
connections
 15% of victims in 2012 were
notified by a service provider
Trend #2 – ‘X’ Marks the Spot
 Attacks are becoming more surgical
in nature: immediately targeting
administrators for network diagrams,
sensitive asset lists
 Change from historical reliance on
internal network reconnaissance
 One victim had followed all the
necessary precautions to protect
their financial information, yet
attacks against system
administrators yielded necessary
data to breach the environment
Trend #3 – Once a Target, Always a Target
 Though long known anecdotally,
Mandiant measured repeat
victimization in 2012
 38% of victims were recompromised within the year
 Reminder that persistence
means constant attempts at recompromise until mission is
accomplished
Trend #4 – Strategic Web Compromise
 Mandiant observed frequent use
of strategic web compromises, or
“watering hole attacks” over the
last year
 Financial institutions attacked via
Java exploits on local news web
sites
 Energy companies compromised
through an industry portal
 Significant collateral damage