This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Mandiant report highlights Chinese cyber threat of APT1

Share this article:
US claims 12 Chinese groups are behind cyber attacks
US claims 12 Chinese groups are behind cyber attacks

A division of the Chinese military is reportedly engaged in a hacking campaign against the United States.

According to a report by Mandiant, it has tracked dozens of threat groups named ‘APT1' and it considers it to be one of the most prolific in terms of the sheer quantity of information it has stolen.

The report claimed that there is evidence linking ‘APT1' to a section of the People's Liberation Army (PLA), with attacks going on since 2006 against 141 victims using more than 40 malware families. Specifically, it said that APT1 is the second Bureau of the People's Liberation Army General Staff Department's (GSD) third department and is staffed by thousands of people

Having previously believed that there was a link between advanced threat actors and the Chinese government, but admitted that "there's no way to determine the extent of its involvement", Mandiant said that now it has the evidence required to change its assessment.

“The details we have analysed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them,” it said.

It said that APT1 is one of more than 20 groups with origins in China and "is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen".

The main goal of APT1, according to Mandiant, is to steal data including intellectual property, business contracts or negotiations, policy papers or internal memoranda. “Once APT groups find files of interest on compromised systems, they often pack them into archive files before stealing them. They most commonly use the RAR archiving utility for this task, but may also use other publicly available utilities such as Zip or 7-Zip,” it said.

“APT threat actors not only compress data, but frequently password-protect the archive. From there they use a variety of methods to transfer files out of the victim network, including FTP, custom file transfer tools, or existing backdoors.” The most common method of initial infection is via spear phishing.

Dan McWhorter, managing director of threat intelligence at Mandiant, said: “The scale and impact of APT1′s operations compelled us to write this report. The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one.

“What started as a ‘what if' discussion about our traditional non-disclosure policy quickly turned into the realisation that the positive impact resulting from our decision to expose APT1 outweighed the risk of losing much of our ability to collect intelligence on this particular advanced persistent threat group.

“It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively. The issue of attribution has always been a missing link in the public's understanding of the landscape of APT cyber espionage.

“Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...