Investigating Advanced Persistent Threat 1
Hi this is Deana Shick and Angela Horneman from the Threat Analysis and Situational Awareness teams. In this post we introduce our recently published technical report Investigating Advanced Persistent Threat 1, which shows the value of combining several unclassified datasets to explore known indicators of compromise (IOC).
In February 2013, Mandiant uncovered Advanced Persistent Threat 1 (APT1) and provided a detailed report of APT1 operations, along with 3,000 indicators of the group's activity since 2006. We wanted to see how much we could validate or add to Mandiant's information using only unclassified data sets. We were particularly interested in using the Internet Census 2012 data to see what we could find by way of APT1's middle infrastructure: the system of hops, distribution points or relays, and the command and control (C2) servers that sit between APT1's victims and main C2 servers located overseas.
In addition to the Internet Census 2012, we also used the following data sources to enhance our understanding of the compromised devices:
- The Mandiant report, APT1: Exposing One of China's Cyber Espionage Units
- Joint Indicator Bulletins: INC260425, INC260425-2
- Security Information Exchange at the Internet System Consortium (SIE@ISC): passive DNS Data (now part of Farsight Security)
- Open Resolvers Dataset
- Neustar GeoPoint Data for geo-location and routing data
- Internet Storm Center's Dshield API
These data sources with Linux tools, Excel, and the SiLK tool suite, gave us some validation of the Mandiant report and provided a few other interesting insights. For instance, Microsoft Windows accounted for 21.3% of the compromised devices evaluated from the Mandiant IOC and the Joint Indicator Bulletins. We also found more detailed information about the device geographic locations and how the devices connect to the internet. Unexpectedly we also found over 250 malware hashes that were not included in the Mandiant report. All our findings are detailed in our technical report, Investigating Advanced Persistent Threat 1.
From our perspective, this report was an exercise in combining key information to show how unclassified data can be used to describe malicious and covert networks when IOC are available.
APT1 is still active and garnering interest. Check out the State of the Hack: One Year after the APT1 Report presentation from the 2014 RSA conference to learn more about what Mandiant has found since its initial report and U.S. Official: China Cited in Cyber-Espionage Case for a brief discussion on what the U.S. might do about it.
If you have questions, comments, or would like more information about the report or our investigative method, let us know by using our Contact Us form.