Print Edition: March 20, 2013
Thanks to the world wide web, we’re living a more convenient lifestyle but also a more dangerous one.
We use online services for social networking, shopping, updating account info and casual lollygagging.
We surrender personal information to companies over the internet to gain access to services such as Facebook, email, Paypal, bank information and even our university website.
The internet knows a lot about you, and if the company whose services you use suffers a security breach, someone else could quickly have access to your personal files.
An organization called Mandiant specializes in investigating and resolving computer security compromises. In a report earlier this year, titled APT1: Exposing One of China’s Cyber Espionage Units, they claim that since 2004 there have been security breaches at hundreds of organizations around the world.
The group they hold responsible for the majority of security breaches are referred to as “Advanced Persistent Threats” (APT). The report focuses on the most prolific of the groups, APT1, which is one of more than 20 APT groups originating in China.
Mandiant has evidence pointing to the fact that not only is the APT sector stationed in China, but APT1 may work in close relation with the Chinese government.
“The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement,” Mandiant states in the executive summary of the report.
Mandiant theorizes APT1 likely receives direct government support, which is why they are able to wage such an intensive cyber espionage campaign against American, Canadian and some European businesses. APT1 and Unit 61398 of China’s People’s Liberation Army (PLA) are similar in their mission, capabilities and resources, and PLA Unit 61398 is located in the exact location to which Mandiant tracks APT1 activity.
Part of their investigation included tracking APT1’s activity to four large networks in Shanghai, two of which are where Unit 61398 is located in the Pudong New Area.
Mandiant claims that APT1 has already stolen hundreds of terabytes of data from at least 141 organizations.
“Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale,” stated Tom Donilon, President Obama’s national security adviser, addressing the Asia Society in New York.
He spoke on behalf of the White House a little under two weeks ago in demanding the Chinese government stop the widespread theft of data from American computer networks and instead agree to “acceptable norms of behaviour in cyberspace.”
APT1 is aggressive in their attack methodology, refining and redesigning their techniques over years of practice to steal large columns of valuable intellectual property. Once they establish access to a system, they periodically revisit the victim’s network to steal new intellectual property.
Mandiant was able to track a number of APT1 personas who made “poor operational security choices” that exposed their identity.
“UglyGorilla” is responsible for authorizing malware and registering domains belonging to APT1. “DOTA” registers email accounts to phish for information – sending spoof emails targeting specific organizations in fraud attempts to have the user give up confidential data. A significant creator of AURIGA and BANGAT malware families used by many APT groups stems from a “SuperHard” persona.
Mandiant’s report fully details the immense scale and duration of APT’s operation. The attacks are increasing in complexity and design as we attempt to learn more about these cyber-attacks.
It is often difficult to estimate how much data APT1 steals per intrusion. APT1 deletes the compressed archives after stealing data, leaving hardly any evidence behind of a pilfered file. Any minor evidence of a breach that is left behind is usually overwritten during regular business activities and before Mandiant has time to investigate.
Firewalls and other security applications do not monitor or identify data theft because these applications are more programmed towards keeping hackers outside of the system instead of preventing loss once a hacker has gained access.
There is a large organization of people behind these attacks, with at least a dozen and potentially hundreds of people in the ranks.
Just think about that next time you assume your information is safe on the internet.