Mandiant report highlights Chinese cyber threat of APT1

News by Dan Raywood

A division of the Chinese military is reportedly engaged in a hacking campaign against the United States.

A division of the Chinese military is reportedly engaged in a hacking campaign against the United States.

According to a report by Mandiant, it has tracked dozens of threat groups named ‘APT1' and it considers it to be one of the most prolific in terms of the sheer quantity of information it has stolen.

The report claimed that there is evidence linking ‘APT1' to a section of the People's Liberation Army (PLA), with attacks going on since 2006 against 141 victims using more than 40 malware families. Specifically, it said that APT1 is the second Bureau of the People's Liberation Army General Staff Department's (GSD) third department and is staffed by thousands of people

Having previously believed that there was a link between advanced threat actors and the Chinese government, but admitted that "there's no way to determine the extent of its involvement", Mandiant said that now it has the evidence required to change its assessment.

“The details we have analysed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them,” it said.

It said that APT1 is one of more than 20 groups with origins in China and "is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen".

The main goal of APT1, according to Mandiant, is to steal data including intellectual property, business contracts or negotiations, policy papers or internal memoranda. “Once APT groups find files of interest on compromised systems, they often pack them into archive files before stealing them. They most commonly use the RAR archiving utility for this task, but may also use other publicly available utilities such as Zip or 7-Zip,” it said.

“APT threat actors not only compress data, but frequently password-protect the archive. From there they use a variety of methods to transfer files out of the victim network, including FTP, custom file transfer tools, or existing backdoors.” The most common method of initial infection is via spear phishing.

Dan McWhorter, managing director of threat intelligence at Mandiant, said: “The scale and impact of APT1's operations compelled us to write this report. The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one.

“What started as a ‘what if' discussion about our traditional non-disclosure policy quickly turned into the realisation that the positive impact resulting from our decision to expose APT1 outweighed the risk of losing much of our ability to collect intelligence on this particular advanced persistent threat group.

“It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively. The issue of attribution has always been a missing link in the public's understanding of the landscape of APT cyber espionage.

“Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews