A Mandiant report that tied China to a cyberespionage operation and exposed how it infiltrated more than 100 businesses has significantly impacted the group's campaign, decreasing attacks and possibly forcing the group to turn to alternative methods.
The report, which outlined the well-organized attacks and provided thousands of infection and attack indicators, may have forced the group to change some operational methodology, according to Mandiant, which provided an update on its cyberattack research this week.
"APT1 is still active using a well-coordinated and well-defined attack methodology against a wide set of industries -- with a discernible post-report shift towards new tools and infrastructure," wrote Dan Mcwhorter, Mandiant's managing director for threat intelligence.
Alexandria, Va.-based Mandiant issued its report in February which, for the first time, linked the Chinese government to ongoing cyberespionage operations targeting businesses and government agencies globally. The scope of the attacks was massive, according to the report, with the group it calls APT1 retrieving hundreds of terabytes of stolen data. The attackers gain access to corporate systems to steal intellectual property, remaining stealthy for up to a year or longer, Mandiant said.
Among the threat indicators publicly released by Mandiant were domain names and IP addresses that could be indicative of an attack from the APT1 group. Mandiant said the report helped shed light on the threat, making the group's activities more difficult to carry out, but not impossible. The report said APT1 was one of more than 20 advanced persistent threat actors.
"APT1 has stopped using the vast majority of the infrastructure that was disclosed with the release of the indicators," Mcwhorter wrote. "These groups also conduct cyberespionage campaigns against a broad range of victims and, based on Mandiant's observations, they were not directly affected by the release of the Mandiant APT1 report."
Nation-state driven cyberespionage attacks increased significantly according to the 2013 Verizon Data Breach Investigations Report. Much like financially motivated attacks, the Verizon report found that cyberespionage campaigns often use stolen account credentials and seek out configuration weaknesses and vulnerabilities. The attackers conduct their operations remotely using command and control servers in different locations.
Mandiant traced nearly all of the group's 832 IP addresses to four large areas in Shanghai, believed to be the APT1 home networks. The goal of the report was to temporarily increase the costs of the group's operations and impede their progress. The report found that the group's tactics include social engineering, remote access tools and more than 40 malware families. Mandiant released 13 encryption digital certificates used by APT1 and videos showing attacker sessions.
APT1 installs multiple backdoors for remote access as it claims more systems in the environment, the report found. The attackers are constantly looking for valid user credentials to impersonate a legitimate user and avoid detection from security systems. Web portals are a favorite attack vector and include Web-based email systems such as Outlook Web Access, Mandiant said. The group can steal email messages and file attachments from the Microsoft Outlook archive files.
PUBLISHED MAY 23, 2013