APT1, Unit 61398 and are state sponsored attacks real

Published: 2013-02-19
Last Updated: 2013-02-19 19:49:07 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

The label of "state sponsored attacks" or "advanced persistent treat" has been used and abused frequently in the last few years. Hardly ever have we seen any "hard evidence" of how these attacks happen, and who is behind it. The report by Mandiant that made the news this week is probably the best public summary of these attacks listing conclusive evidence linking the attacks to the chinese government.

Attributing cyber attacks is always very difficult. IP addresses don't really mean much as attackers frequently use chains of compromissed machines to attack the ultimate target. The Mandiant report uses additional evidence and does a very good and thorough job in tracing the attacks.

But what does it mean to you?

First of all: Read the report (the original, not the press releases and commentaries): http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf . Direct management to the video that Mandiant made.

The report also includes lots of IP addresses and other indicators that you can use to check your own networks for similar compromisses.

The attacks follow a very tried and true pattern:

  • send an e-mail to the victim.
  • the victim will click on a link or an attachment
  • an exploit will be used to compromisse the users system
  • additional software will then be used to establish a foothold and exfiltrate data

What can you do about this? 

At each step, try to see how you could possibly intercept the attack. For example conduct your own phishing exercises. With permission, register a hotmail/gmail/yahoo mail account using an executive's e-mail address. Sent an email to all employees using this from address and see how many people click. Direct them to a nice but educational page telling them how they may have been "hacked" this way, and what to look for.

This way, you gain a bit of awareness, but you also gain hard numbers on how many people in your organization would have clicked on the link. This is critical to demonstrate the size of the issue to manage to obtain resources to defend agains tthis threat. 

Next, to prevent the infection of the system. Patching still helps. Not all attackers use 0-day attacks. But more importantly, reduce the attack surface by removing unneeded software (Java, Flash, Office...) . Office may be a hard one to remove, but limit it to the pieces of the package that are actually needed. It will save you on licensing fees too.

Consider whitelisting. While not perfect, if done right, it is a lot better then anti virus.

And finally in this very brief list: Don't forget some kind of exfiltration or data leakage protection. Look for anomalies more then for signatures. The better you know what is normal on your network, the better are your chances to detect "bad stuff".

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: 61398 apt apt1 china
5 comment(s)


Why not change the architecture from the one way in one way out to something else? We can keep changing the tools (use whitelist over AV, use exfiltration protection, etc) or we can change how the network works and make it much easier to spot the anomalous traffic that these types of attacks create. It is a lot harder when all of your network traffic goes out one or two pipes.

Think differently. Think about using virtualization and moving email and web browsing to highly protected enclaves. Is it really enough to keep adding expensive products and still know you can't protect the Enterprise?

QubesOS can protect a desktop, but how do expand that model out to a network? There are ways and nearly every virtualization technology can support them.
I think virtualization is all good, if you can keep the "enclaves" apart. Data sharing between applications is in part what makes modern computing so great. It is kind of like banks having there own "secure" internet. How would customers connect to them?

What I like about whitelisting is that it answers one important question: What is supposed to be on the systems. Even experienced sysadmins usually don't know.
I wouldn't be opening any PDF from a work machine or PC with sysadmin access until the latest zero day patch is out. The Mandiant report would be an excellent opportunity to sucker in a lot of infosec people who believe in fairytales (Hansel and Gretel) and these hackers got into major systems all around the world. The NYT article did not state that Mandiant tracked the hackers into the building, most likely because Unit 61398 had a separate physical connection. Johannes, remember around 10 years ago when the only secure PC was one packed in its original cardboard box and locked in secure storage?

A Californian hacker with madirish in their email address used exactly the same methods to drop a nasty payload onto my development PC in 2004. This was via an email with a forwarded email from an employee with an attached image that had a payload with a keylogger and a remote access component that was pretty sophisticated at the time. Sorry this MO is too similar to be funny. I had detected the employee who forwarded me the email attempting to gain access to our FTP site which contained PDF files that the employee did not have access to on our main server. Six weeks later the employees website was found and he was trying to sell the downloaded documents.
I have read the PDF and 'may' is not a very strong word when you consider the criminality of the MO.
You can use isolated virtualization and still do information sharing. A lot of it centers on knowing how information moves between applications and around the network.

for instance, an email enclave would not be able to initiate any connections to the internal enclave. Clients opening the app on their desktop don't really know that they are opening a virtual app. that system connects to the app server in the enclave and they read through their email. The catch would be that in order to open an attachment, they have to save it to a specific directory and then open it on their desktop. An internal file share server polls the file server in the enclave to look for new files and then pulls them down. The client/user doesn't see this. Attachments also must get put into a specific directory that gets pushed to the enclave.

There is a lot more to it, and it is complicated and expensive, but you can create enclaves for trusted and untrusted browsing too.

There are many ways to accomplish this, and whitelists still become a part of the solution. Only now you have taken the two biggest attack vectors and moved them into highly controlled enclaves. Your have significantly reduced the traffic radiating from the internal hosts making it much easier to find infections and intrusions.

It isn't that it is a solution, just an example of how we can start re-thinkiing security and network architecture to address issues instead of always trying to find a better detection/security tool.

Diary Archives