The document summarizes key findings from the 2013 Mandiant APT1 report about a Chinese cyberespionage group known as Unit 61398. The summary includes details about the group's infrastructure located in Shanghai, China, estimated size of hundreds to thousands of personnel, English language requirement, and extensive theft of intellectual property terabytes of data from over 100 organizations simultaneously and over long periods. Attack methods include initial reconnaissance, compromising initial systems, establishing footholds, lateral movement within networks, completing the mission by data exfiltration, and evading detection. Stolen data included intellectual property, contracts, policy papers and internal documents. Exfiltrated data was compressed and collected, sometimes sent over Google Calendar or MSN channels.

1. APTs, Cyber-
attacks, Cybercrime, Cyber
warfare and Cyber threats
exposed
Marcus Murray & Hasain Alshakarti
Truesec Security Team, MVP-Enterprise Security
x2

2. Marcus Murray Hasain Alshakarti

3. The threat landscape is changing..
It used to be kids hacking for fun…..

4. Not anymore....

5. Most countries have “cyber capabilities” today..

6. The ”Mandiant report”

7. Unit 61398 is partially situated on Datong Road
(大同路) in Gaoqiaozhen (高桥镇), which is
located in the Pudong New Area (浦东新区) of
Shanghai (上海). The central building in this
compound is a 130,663 square foot facility that
is 12 stories high and was built in early 2007.
* Mandiant APT1 report 2013

8. We estimate that Unit 61398 is staffed by
hundreds, and perhaps thousands of people
based on the size of Unit 61398’s physical
infrastructure.

9. “Unit 61398 requires its personnel to be
trained in computer security and computer
network operations and also requires its
personnel to be proficient in the English
language.”
* Mandiant APT1 report 2013

10. “They have systematically stolen hundreds of
terabytes of data from at least 141
organizations, and has demonstrated the
capability and intent to steal from dozens of
organizations simultaneously”*
* Mandiant APT1 report 2013

11. “Among other large-scale thefts of intellectual
property, we have observed them stealing 6.5
terabytes of compressed data from a single
organization over a ten-month time period.”
* Mandiant APT1 report 2013

12. Attack process
Initial Establish Lateral Complete
Initial recon Movement
compromize foothold mission
Maintain Internal
presence Recon
Escalate
privileges

13. Attack process

14. Initial recon

15. Initial recon

16. Initial compromize
Web Srv Mail Srv
DC File Srv Mail Srv
Client Client
Admin User

17. Establish foothold
C & C SRV
Web Srv Mail Srv
DC File Srv Mail Srv
Client Client
Admin User

18. What about antivirus?
Av-test
Trojan.exe Avhide Newtrojan.exe

21. Lateral movement
Web Srv Mail Srv
DC File Srv Mail Srv
Client Client
Admin User

22. Complete mission
Web Srv Mail Srv
DC File Srv Mail Srv
Client Client
Admin User

23. What about network detection?

24. Complete mission
Harvest data
• intellectual property
• business contracts
• negotiations,
• policy papers
• internal memoranda
• etc.
Compress and collect
• Rar+pwd
• etc.

25. Channel over MSN

26. Channel over Google calendar

27. FQDN used..
About half of APT1’s known zones were named according to three themes:
• News
• Technology
• Business.
aoldaily.com mediaxsds.net
reutersnewsonline.com
aunewsonline.com myyahoonews.com
rssadvanced.org
canadatvsite.com newsesport.com
saltlakenews.org
canoedaily.com newsonet.net
sportreadok.net
cnndaily.com newsonlinesite.com
todayusa.org
cnndaily.net newspappers.org
usapappers.com
cnnnewsdaily.com nytimesnews.net
usnewssite.com
defenceonline.net oplaymagzine.com
yahoodaily.com
freshreaders.net phoenixtvus.com
giftnews.org purpledaily.com
issnbgkit.net

28. Origins of attacks..

29. Marcus Murray Hasain Alshakarti

30. Thank you for listening! 