FireEye Backs Washington with New APT1 Data Linking Attacks to China

The People's Liberation Army in Tiananmen Square in Beijing in Hebei Province, People's Republic of China
The People's Liberation Army in Tiananmen Square in Beijing in Hebei Province, People's Republic of China
FireEye has released new information backing US government intelligence which Washington used earlier this week to justify its decision to unmask five alleged Chinese military hackers.
The security vendor’s Mandiant business last year first linked the now infamous PLA Unit 61398 – which the five operatives are said to have hailed from – with the notorious APT1 hacking group, which it said operated out of the same Shanghai compound.
Over the two year period of the report, from January 2011 to January 2013, Mandiant confirmed 1,905 instances of APT1 actors logging into their “hop infrastructure” from 832 different IP addresses with Remote Desktop.
Some 98% of those addresses were Chinese and specifically Shanghai, while 97% of Remote Desktop sessions were of the keyboard layout setting “Chinese (Simplified) — US Keyboard.”
In a blog post this week, FireEye Labs revealed that Remote Desktop log-in times and days of week confirmed almost exactly to the Chinese public sector working week/hours – that is Monday-Friday from 8am-6pm local time with an approximate 2 hour break at lunch.
Some 97.5% of APT1 personnel logged in on weekdays, China Standar Time (CST), 75% of connections occurred between 8am-noon or 2pm-6pm and 15% occurred between 7pm and 10pm, according to the data.
“The simplest conclusion based on these facts is that APT1 is operating in China, and most likely in Shanghai. Although one could attempt to explain every piece of evidence away, at some point the evidence starts to become overwhelming when it is all pointing in one direction,” FireEye continued.
“Our timestamp data, derived from active RDP logins over a two year period, matches the Department of Justice’s timestamp data, derived from a different source — active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are.”
China’s response to the DOJ indictments, as noted by FireEye, were markedly different from that which it addressed Mandiant’s report. Back then it denounced the report, claiming it lacked sufficient evidence, whereas on Monday, Beijing argued the US government had fabricated its evidence.
In the end, however, the naming and shaming is likely to do little to halt Chinese cyber incursions. In a one year on M-Trends report issued last month, Mandiant warned that the groups exposed had waited around 150 days before resuming “pre-disclosure levels” of activity.

However, they had also made efforts to change “operational architecture” in a bid to “obscure their further data theft operations” – in effect, burrowing deeper to try and avoid detection.   

What’s hot on Infosecurity Magazine?