Chinese Group Tied To Massive, Ongoing Cyberattacks In U.S.


A security firm has tied hundreds of cyberattacks to a single organization based in China and said the scope of the campaign is massive in size -- hundreds of terabytes of stolen data -- from at least 141 organizations.

The attackers steal intellectual property or remain stealthy on computer systems for up to a year as part of surveillance activities, said security firm Mandiant, which has a forensics team investigating the cyberattacks. In a report issued Tuesday, Mandiant said it believes it has enough evidence to link the group to one of 20 cybercriminal organizations operated by the Chinese government.

Alexandria, Va.-based Mandiant analyzed a group it calls APT1, documenting intrusions it conducted against the breached organizations over seven years. In its report, "APT1: Exposing One of China's Cyberespionage Units," Mandiant said it has conclusive evidence tracking the group to Shanghai, with activities directly observed by Mandiant investigators representing only a small fraction of the cyberespionage it has conducted.

[Related: China Attack On The New York Times By The Numbers]

"The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese government is aware of them," the firm said in its report. "From our observations, it is one of the most prolific cyberespionage groups in terms of the sheer quantity of information stolen."

The China-based attacker's tactics vary and include social engineering and spearphishing attacks, remote access tools and more than 40 malware families.

As part of its report, Mandiant issued thousands of threat indicators, including domain names and IP addresses that could be indicative of an attack from the APT1 group. The compilation includes encryption certificates and videos showing actual attacker sessions and intrusion activities in progress. The company also issued a free tool to detect compromised systems.

The attackers have targeted companies in 20 major industries, Mandiant said. The cybercriminals periodically revisit the infiltrated network over several months or years and steal technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from senior executives within the organization. At least one victim organization may have been penetrated for nearly five years before the attack was detected.

In one month alone in 2011, the APT1 group infiltrated 17 organizations. Mandiant said 87 percent of the victim organizations are based in countries where English is the native language.

Mandiant said APT1 is likely government-sponsored. A team of investigators tracked attacks back to four large networks in Shanghai and uncovered a substantial amount of the cybercriminal gang's attack infrastructure, command and control servers and tools and tactics.

The scale of the infrastructure supporting the group's attack campaigns is massive, consisting of 937 command and control servers hosted on 849 distinct IP addresses in 13 countries, according to the report. The group used a remote desktop to control the infected systems from abroad. Mandiant said it believes hundreds of people may be behind the attacks.

"Given the volume, duration and type of attack activity we have observed, APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors," according to the report. "APT1 would also need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management, and logistics."

PUBLISHED FEB. 19, 2013