Up until now, whatever intelligence existed on the ‘Advanced Persistent Threats’ from China (more specifically its government) wasn’t doing much good, because, well, it wasn’t reaching the people it should have reached. Sure, there’s no shortage of journals and academic papers discussing various points of China’s information warfare strategy. Sure, MI5 have advised a handful of CEOs here and there, but how was that information used? How many companies got owned because of what their employees weren’t told?
Thankfully the situation changed somewhat, with the release of Mandiant’s excellent and very well-researched report, along with Kaspersky’s coverage of the ‘Red October’ thing. The appendices that accompany it are even more useful, giving us real information we can work with. Hopefully there’ll be less APT-related scaremongering and confusion, and a better idea of how to actually deal with the problem.
Unit 61398, AKA GSD 3rd Department, AKA APT1
What the press concentrated on more than anything was Mandiant’s conclusion:
'Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398.'
Evidence for this was very strong, but it shouldn’t be taken as proven. Other possibilities have to be considered: One is that China’s government or military intentionally put the information out there, and wanted someone like Mandiant to uncover it – maybe using Unit 61398 as a honeynet of sorts. Another is that someone else was using a nearby service provider to cover its tracks, which is plausible if the activity was traced to a heavily-populated business district where several ISPs are operating. Unit 61398 might well have been operating independently, maybe as a private organisation or academic group.
What I found interesting was this group’s methods appear much less sophisticated than those used in what Kaspersky calls the ‘Red October’ attacks.
In any case, this doesn’t matter so much. What should be the focus of discussion is how APT1 operated. Fortunately Mandiant has provided us with malware signatures, descriptors, filenames, etc.
The author sums up APT1’s methodology as:
'APT1 has a well-defined attack methodology, honed over years and designed to steal massive quantities of intellectual property. They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China – before beginning the cycle again.'
Reading further, the general methodology (Appendix B: APT and the Attack Lifecycle) is one we’d find in any decent book on network penetration, and most of us will encounter variations of it at some point. I doubt it’ll change as a result of what Mandiant published. With that said, the following stood out:
Malware, Research and Targeted Emails
One of the early stages of the attack is malware attached to a carefully crafted email. Now, we’d think the policy of ‘don’t click shit!’ would prevent this, but the attackers did their research, tailored the emails (and the sender’s address) to the recipient, and went the extra mile in disguising their malware – even the executables’ icons were changed to those of a document file. If it looks and sounds legit…
Since the best AV doesn’t recognise around 30% (ballpark figure) of malware in existence and the signatures weren’t made public until recently, the alarm wouldn’t have been raised at this point. It didn’t matter whether a webmail account was used either, as hardly anyone’s going to check the headers of every email.
So, the recipient opens the attachment, the executable runs, malware is grabbed and a backdoor installed. This backdoor initiates a connection with the attacker’s C&C server. However, the reason for this isn’t so much related to firewalls (the reason given by Mandiant), but instead the attacker wants to maintain access if the IP address of the infected machine changes.
With the attacker being able to communicate with the target system, the next stage is to escalate privileges. Here, it’s typically done by harvesting password hashes from the Windows Registry before cracking them.
If root access was gained, there’s another reconnaissance stage that involves studying the network to determine what assets are there, how they’re stored, and the security monitoring practices in place. This is essential for being able to exfiltrate data while evading detection.
Again, thanks to Mandiant, we have a batch script telling us exactly what Unit 61398 was specifically looking for, mainly:
* User accounts
* System administrators
* Domain controllers (a prize target)
* Exchange servers
Which Leads To…
I guess the main takeaway from this is ‘Advanced Persistent Threats’ and ‘sophisticated attacks’ make the headlines, but they aren’t that different from online criminals using rootkits. They can be dealt with more effectively if more information like this is made available to everyone. Hopefully we’re seeing this begin to happen.