APT1, Unit 61398 and are state sponsored attacks real

Published: 2013-02-19
Last Updated: 2013-02-19 19:49:07 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

The label of "state sponsored attacks" or "advanced persistent treat" has been used and abused frequently in the last few years. Hardly ever have we seen any "hard evidence" of how these attacks happen, and who is behind it. The report by Mandiant that made the news this week is probably the best public summary of these attacks listing conclusive evidence linking the attacks to the chinese government.

Attributing cyber attacks is always very difficult. IP addresses don't really mean much as attackers frequently use chains of compromissed machines to attack the ultimate target. The Mandiant report uses additional evidence and does a very good and thorough job in tracing the attacks.

But what does it mean to you?

First of all: Read the report (the original, not the press releases and commentaries): http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf . Direct management to the video that Mandiant made.

The report also includes lots of IP addresses and other indicators that you can use to check your own networks for similar compromisses.

The attacks follow a very tried and true pattern:

  • send an e-mail to the victim.
  • the victim will click on a link or an attachment
  • an exploit will be used to compromisse the users system
  • additional software will then be used to establish a foothold and exfiltrate data

What can you do about this? 

At each step, try to see how you could possibly intercept the attack. For example conduct your own phishing exercises. With permission, register a hotmail/gmail/yahoo mail account using an executive's e-mail address. Sent an email to all employees using this from address and see how many people click. Direct them to a nice but educational page telling them how they may have been "hacked" this way, and what to look for.

This way, you gain a bit of awareness, but you also gain hard numbers on how many people in your organization would have clicked on the link. This is critical to demonstrate the size of the issue to manage to obtain resources to defend agains tthis threat. 

Next, to prevent the infection of the system. Patching still helps. Not all attackers use 0-day attacks. But more importantly, reduce the attack surface by removing unneeded software (Java, Flash, Office...) . Office may be a hard one to remove, but limit it to the pieces of the package that are actually needed. It will save you on licensing fees too.

Consider whitelisting. While not perfect, if done right, it is a lot better then anti virus.

And finally in this very brief list: Don't forget some kind of exfiltration or data leakage protection. Look for anomalies more then for signatures. The better you know what is normal on your network, the better are your chances to detect "bad stuff".

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: 61398 apt apt1 china
5 comment(s)
Diary Archives