“Our analysis,” says Mandiant in a new report published today, “has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.”
Mandiant goes further, claiming that APT1 is specifically “the 2nd Bureau of the People’s Liberation army (PLA) General staff Department’s (GSD) 3rd Department,” or Unit 61398. “APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.”
Mandiant is also releasing more than ‘3,000 indicators to bolster defenses against APT1 operations.’ These include domain names, IP addresses, MD5 hashes of APT1 malware, and thirteen X.509 encryption certificates used by the group. These are being provided in Redline, the company’s free investigative tool. We are exposing APT1, says the report, because “It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”
China has denied involvement. Reuters reports that Hong Lei of the Chinese Foreign Ministry responded, “Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don't know how the evidence in this so-called report can be tenable,” adding that “arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue.”
China’s point is that a major part of Mandiant’s proof is based on IP addresses. “In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese Language,” says the report. IP addresses can be easily disguised.
John Sawyer makes this point clearly in an article in Dark Reading published on Sunday. Attribution is hard, he says. “The reality is more likely that some attacker found a vulnerable website in Country X, gained access to it, and then exploited a vulnerability in a mail server in Country Y. From Country Y, the attacker jumped through an open proxy in Country Z to access a previously compromised server in China. That compromised server in China was then used to launch the attack and is now considered part of a Chinese conspiracy to steal the formula for Justin Timberlake's latest fragrance.”
China’s suggestion is that this is more or less what happened, and that the US is behind the greater part of the world’s hacking. Either way, Mandiant is aware that its findings will be controversial. “We are acutely aware of the risk this report poses for us,” it concludes. “We expect reprisals from China as well as an onslaught of criticism.”