This week Mandiant, an American cyber security firm, revealed a report that indicates how the Chinese government or military apparatus has engaged in an extensive cyber espionage campaign against US governmental agencies, corporations and human rights organizations. The report refers to the group behind that hacking as “APT1” and suggests that it is one of more than 20 Advanced Persistent Threat (APT) actors that have had a prolific global impact. Mandiant has been tracking the group since 2006 and argues that they have stolen large volumes of information that have impacted over 150 victims. The conclusions of the report state that APT1 is likely government-sponsored and is regarded as one China’s most persistent hacking group.
Key findings in the report:
- APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA)
- APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.4
- APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.
- APT1 maintains an extensive infrastructure of computer systems around the world.
- In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, aPt1 used IP addresses registered in shanghai and systems set to use the simplified Chinese language.
- The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
- In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with APT1 activity.
- Mandiant is releasing more than 3,000 indicators to bolster defenses against APT1 operations.
One of the most interesting aspects of this story is how Anonymous helped contribute to key finding #7: identifying the hackers in APT1. Back in February 2011, Anonymous hacked HBGary Federal when CEO Aaron Barr attempted to identify the “ring-leaders” of the faceless hacktivist collective and sell the information to the Federal Bureau of Investigation. In response to his efforts, Anonymous compromised Greg Hoglund’s (founder of the cyber security company HBGary) popular site devoted to the subject of rootkits: rootkit.com. To make a long story short… the following conversation happened.
Interestingly, when Anonymous decided to publish all registered accounts to “rootkit.com” the user name “uglygorilla” with the registered email uglygorilla@163.com appeared. The same user name also appears registered to the People’s Liberation Army forum. What’s more, the same IP address (58.246.255.28) appeared within the APT1 home range.
Although this story is still in its infancy, it is sure to have significant impacts. For one, I think back to caption at the bottom of my post on CISPA and wonder if this new found Chinese cyber espionage will be used as leverage to push domestic bills on the American home front in their war on cybercrime. In any case, the public should be cognizant of the political boundaries within which they live and recognize that legitimate threats do exist, both foreign and domestic. It will be fascinating to see how story pans out and how international policing and security agencies respond to this threat.
