Mandiant Definitively Links APT Attacks to Chinese Army: Unit 61398 Identified

Published On February 19, 2013 | By Marc Zwillinger | Critical Infrastructure, Data Security, General, Hacking

On February 18, 2013, Mandiant, one of the country’s pre-eminent computer security companies with a deep background investigating the activities of suspected China-sponsored cyber-attackers, released a 74-page report, demonstrating a persuasive, if not definitive, link between the hacking group known as “Comment Crew,” and Unit 61398 of the People’s Liberation Army in China.  For years, this linkage has been rumored, discussed, and assumed, but without the sort of definitive public proof that could engender an appropriate public response.   That all changed with the release of this report. Despite its length, the report is worth a careful read, not just by computer security professionals, or cyberlawyers, but by anyone concerned with the systematic theft of U.S. companies’ intellectual property and the intentional infiltration of crucial control systems, including our energy and banking infrastructure. The highlights of the report include the fact that Mandiant has attributed over 141 successful company attacks to Unit 61398, which Mandiant believes is just a fraction of the total number of victims. More significantly, once the hackers successfully penetrate a victim, Unit 61398 has been able to preserve its access and its ability to siphon data for for an average duration of nearly a year, and in one case more than 4 years.  The value in the Mandiant report is three-fold. First, it provides an unprecedented level of insight into the activities, methodologies and habits of the greatest cyber-enemy facing our nation.  Second, it identifies specific tradecraft of the attackers, including source IP Addresses, malware programs, and other indicators of compromise that companies can use to conduct investigations of their own systems.   Third,  it sends a strong message to the Chinese government that U.S. companies are, in fact, watching their moves and foiling their efforts to remain unidentified.  More specifically, by calling out some specific actors who have been carrying out these attacks, Mandiant may have disabled or diminished the usefulness of the current attack techniques and/or specific attackers themselves.

For those of you who do intend to jump in and read the report, but don’t have time to digest all 74 pages in one sitting, here are some highlights you may want to read.  Pages 23 & 24 of the report describe the various types of industries that have been documented to be under attack by Unit 61398.  The list is wide-ranging in breadth and scope.   Page 25 discusses the types and volume of data that hacker group has been able to exfiltrate per incident.   This volume includes up to 6.5 terabytes of compressed data from one victim over a 10 month period.  Page 28 provides an actual example of a spearphishing attack directed against Mandiant itself, by someone pretending to be its CEO Kevin Mandia, which was designed to encourage Mandiant employees to click on a link containing malware.   The remainder of that section provides a detailed analysis of the type of malware used in the attacks, describes how such malware masquerades on the victim’s system as legitimate programs, and explains the functions performed by the malware.  The next section of the report, found at pages 39-49, contains a detailed analysis of how the attackers use “hop points,” intermediate computer systems used to attack U.S. systems or exfiltrate data so that the attacks are not directly traceable to China.  Included in that discussion, on page 48, is a list of the zones (collection of domain names that end with the same name) used by the hackers, which are all designed to seem sufficiently benign that security personnel would not find traffic to these destinations to be odd.  Perhaps most important, however, are the digital files that Mandiant has released along with the report.  Found at http://intelreport.mandiant.com/, it includes domain names, IP addresses, X.509 encryption certificates and MD5 hashes of malware in the hacker’s arsenal of weapons.

By releasing this report, Mandiant did U.S. companies and the U.S. government a great service.  Still, I wouldn’t want to be the guy in charge of keeping their network secure after the release of this report.  This report will not likely be received favorably in China.

About The Author

Marc is the founder and managing member of ZwillGen PLLC and has been regularly providing advice and counsel on issues related to the increasingly complex laws governing Internet practices, including issues related to Electronic Communications Privacy Act (“ECPA”), the Wiretap and Communication Acts, privacy, CAN-SPAM, FISA, spyware, adware, Internet gambling and adult-oriented content. He also helps Internet Service Providers and other clients comply with their compliance obligations pertaining to the discovery and disclosure of customer and subscriber information.

Comments