Analysis Of The Advanced Persistent Threat 1 Report

Abstract

This paper explores and serves as a reaction to the report compiled by Mandiant, an American cyber-security firm, in response to the “Advanced Persistent Threat 1 (APT 1)” group. This is an organization of cyber operators that has allegedly participated in cyber espionage activities for nearly seven years against almost one hundred-fifty victims. APT 1 is believed to be operating under the control of the Chinese Government out of several locations within the country. One purpose of this paper will be to examine the perceived threat that this group (APT 1) poses to the United States and their homeland security. This paper will also respond to the following inquiries: 1.How does this adversary threaten the U.S? 2. Why not block all IP addresses originating from source country? 3. How has the United States responded to the information outlined in this report?

Mandiant Apt 1: Exposing One of China’s Cyber Espionage Units

Since 2004, Mandiant has been investigating numerous “Advanced Persistent Threat Groups” or “APT’s.” One such group of focus is APT 1, which is an organization of cyber operators that are believed to be operating under the control of the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, also referred to as Unit 61398. APT 1 is thought to be conducting state secret, destructive “Computer Network Operations” under the direct control of the Chinese Government based in Shanghai. APT 1 is based in a large facility potentially occupied by thousands of operators that facilitate for major networks. All of these operators are skilled in computer/cyber security, computer networks, and the English language. APT 1 is reported to have stolen data from approximately 141 different companies and organizations in various industries since the year 2006. APT 1 has proven their abilities to be advanced and capable of simultaneous operations. These aforementioned victims are almost entirely based in English-speaking countries and are involved in industries that are identified by China as key to their nation’s growth and development. Therefore, based on the totality of numerous pieces of evidence, Mandiant has come to the almost certain conclusion that APT 1 is operating as a cyber-espionage group under the control of the Chinese Government. Mandiant has concluded that enough research has been gathered on APT 1 to publicly expose their operations (Mandiant, 2013).

Assuming that Mandiant’s findings are completely accurate, the APT 1 group undoubtedly poses a significant threat to the United States of America and the security of the homeland. APT 1 or Military Unit Cover Designator (MUCD) 61398 has been confirmed to be a group under the control of the Communist Party of China (Central Military Commission). APT 1 focuses on military, economic, and political intelligence data in the United States, Canada, and other English-speaking nations. The members of presumed Unit 61398 are experts in not only the English language but also in covert communications, operating systems, digital signal processing, and network security. Digital, aerial, and internal Chinese data has been gathered by Mandiant to show proof of the massive infrastructure belonging to APT 1 in the Pudong New Area of Shanghai. This includes fiber optic communication infrastructure provided to APT 1 by a state-owned organization in China. Cyber-security and cyber-terrorism are relevant and significant threats that the U.S. currently faces. Government and private-sector agencies work so closely in the U.S. that data sharing is unavoidable. Much of the cyber data is controlled and maintained by private-sector organizations. This is where the perceived threats of APT 1 become relevant to the U.S. APT 1 has mainly compromised target corporations in English-speaking nations such as the U.S. and Canada (and other allies). The industries that APT 1 has targeted and compromised include the following: Information technology, transportation, high-tech economics, financial services, navigation, legal services, engineering, media, advertising, and entertainment, food and agriculture, satellites and telecommunications, chemicals, energy, scientific research and consulting, public administration, construction and manufacturing, aerospace, education, healthcare, and metals and mining. If we examine this list of industries, it is clearly seen that this almost entirely composes the complete spectrum of U.S. critical infrastructure. APT 1 has compromised the above industries and collected data for one to nearly five years at a time. Also, four of the seven industries that were recognized by China their 5 year plan are represented above and were of main focus to APT 1 (Mandiant, 2013) (Bullock et al, Ch.8, 2013).

Cyber-security is a continual concern for this country in addition to protecting our other national infrastructure systems. Protecting our cyberspace is also an enormous undertaking; and the future of modern warfare is that of cyber-warfare. Our cyber-space and cyber infrastructure affects everyone in the nation. Cyberspace is not entirely secure or resilient to an attack. It drives almost every facet of the country from government operations to private industry. The effects of these cybercrimes are often devastating to the victims and the effects that a large scale attack cyber-attack would have on this nation as a whole are grim. It is also difficult for the U.S. to be fully prepared for an attack of such magnitude. A majority of cyber networks are also owned or operated by private industry or companies which can make it even more vulnerable in some cases. Cyber-infrastructure also includes information and data systems which are in need of protection. Cyber-space and cyber-infrastructure is an international network and international security efforts are important. Cyber-security is something that should command attention and focus from local, state, federal, private, foreign, and international agencies and groups. The principles of successful cyber-security are action, public-private cooperation, understanding, awareness, technologies investments, threat prioritization, and resilience. These principles are difficult to achieve without full disclosure and understanding of an adversary such as APT 1. It is for these reasons alone that APT 1 is such a difficult adversary and threat to the U.S., simply due to the complexities of combating cyber-attacks (Bullock et al, Ch. 8, 2013).

The aforementioned information gathering is not only dangerous for security reasons as information gathering could be crippling to the economy of the U.S. Let us examine the type of information that APT 1 has obtained for numerous and various organizations to include: product development and use, including information on test results, system designs, product manuals, parts lists, and simulation technologies; manufacturing procedures, such as descriptions of proprietary processes, standards, and waste management processes; business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures, and acquisitions; policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high ranking personnel; emails of high-ranking employees; and user credentials and network architecture information. It is clearly seen that this information is exactly what is needed to cripple an industry or organization. It is this precise insider knowledge that makes APT 1 such a threatening adversary. Backdoor methods, malware, phishing, and the overcoming of firewalls allow APT 1 to gain access to restricted areas where they can break down controls and modify, delete, start, stop, and shut down entire systems. The industries that are targeted are crucial components of critical infrastructure in the U.S. and APT 1 could potentially obtain enough information to shut down these industries (Mandiant, 2013).

The Mandiant defines this adversary as a threat-group that is, “a collection of intruders who are working together to target and penetrate networks of interest.” APT 1 is such a unique adversary due to the fact that it is unknown who, individually, is behind the actual computer screen. Therefore, it is difficult to determine an exact actor and motive. These cyber-attacks could prove fatal to the U.S. and global economy. “A report in July issued by the Commission on the Theft of American Intellectual Property said theft of business and industrial secrets cost the U.S. economy some $300 billion a year and that China was responsible for most of it (Schwartz, 2013)”. It is also difficult to track exactly how much information APT has obtained making them an even larger threat. The true threat of APT 1 lies in the fact that that they possess the variable of an “intelligent adversary.” This is essentially means that an intelligent adversary is one that can think and react. An intelligent adversary is one that is able to act when a vulnerability and/or consequence on the target will be high. Therefore, it is hard to determine a probability as to the threat of this adversary. This adversary is also of high importance to the U.S. because of the unknown. The APT 1 adversary has the ability to steal massive amounts of sensitive data and the endpoint destination of that data is still unknown. The adversary infiltrates through a cycle approach. That cycle consists of the initial compromise, foothold, escalation measures, monitoring, internal recon, lateral moves, and completing their mission (Mandiant, 2013).

One potential solution to combat the actions of groups like APT 1 is to block IP addresses that originate from the source nation of China. However, this solution could also be problematic. Simply blocking all IP addresses that originate from China will not terminate the operations and activities of APT 1. APT 1 has been reported by Mandiant to have used approximately 832 different IP addresses that appear to originate from over 13 different countries, including 559 that appear to be U.S. based. Through “hop points,” and proxy tools such as HTRAN, APT 1 has the ability to create a façade of any IP address that they choose. APT 1 can essentially appear to be an IP address from any nation that they choose and that is what the victim will be able to view. This is also continually accomplished through APT 1’s expert use of remote desktops which enable them to use several IP sources all from their operations center in Shanghai. Backdoor movements can appear as legitimate movement to a victim once APT 1 has made their initial infiltration. This can also allow them to acquire passwords, appear to have legitimate credentials, and this presence can be maintained and create further backdoor systems all under a false pretense. APT 1 also has the ability to supply different registration data in their domain names and to create false data that appears legitimate to a victim. This can be done through spear phishing, placing malware in ZIP files, and hijacking domains. Therefore, simply blocking IP sources from China will not provide any significant solution to the issue of APT 1’s intrusion to American cyber-space as it is abundantly evident that this restriction can be easily overcome (Mandiant, 2013).

In response to the Mandiant Report and the accusations made therein, there is still some debate as to the accuracy of the findings. There is still some controversy as to the claims of Madiant and it is noted by critics that Mandiant has neglected to acknowledge the involvement of other nation-states in the cyber espionage community. The Chinese Government has maintained their innocence since the report was released. The Chinese have claimed that Mandiant’s accusations are baseless and completely inaccurate. The Chinese, however, did not offer evidence to dismiss any of the claims. It is also notable that Mandiant points out the fact that the Chinese Government is extremely restrictive with internet usage and it is highly unlikely that they (China) was completely unaware of APT 1’s actions. The only alternative that Mandiant provides is that APT 1 (if not actually Unit 61398) was in fact an independent group with military grade computer networking operations, organization, funding, and discipline that had access to Shanghai infrastructure and knowledge of Unit 61398’s mission, which Mandiant admits is highly unlikely. Conversely, it has also been suggested that the report was a strategy to increase the sales of the company’s services. After the report was released, U.S. spokesperson, Victoria Nuland, was quoted stating, "We've raised our concern at the highest level about cyber-threats from China, including the involvement of the military… Without getting too deeply into the details of private diplomatic discussions we're having, what we have been involved with is making clear that we consider this kind of activity a threat not only to our national security but also to our economic interests, and laying out our concerns specifically so that we can see if there's a path forward (Schwartz, 2013).” There are also some suggestions that the U.S. has taken somewhat of a non-approach to the issue and that APT 1 or Unit 61398 has simply changed their cyber tactics; and that the Mandiant report simply put a temporary halt on their operations which are still continuing. The U.S.-China Economic and Security Commission, a panel that advises the U.S. Congress on policy relating to China, stated, “Mandiant's revelations brought only a brief pause in cyber intrusions by that PLA unit,” and that the report, "merely led Unit 61398 to make changes to its cyber 'tools and infrastructure' (to make) future intrusions harder to detect and attribute." China has maintained that the methods used by Mandiant cannot prove that they are responsible and pledge their opposition to cyber-espionage. President Obama and Chinese counterpart, Xi Jinping, created a “bilateral working group to discuss cyber-security issues.” This group has only met twice since July of 2013 (Schwartz, 2013) (Charles and Eckert, 2013).

In conclusion, the Mandiant Apt 1: Exposing One of China’s Cyber Espionage Units report issued in February 2013 was a document that allegedly unveiled the cyber-espionage activities of the “Advanced Persistent Threat 1 (APT 1)” group. This is an organization of cyber operators that has allegedly participated in cyber espionage activities for nearly seven years against almost one hundred-fifty victims mainly with ties to the United States. APT 1 is believed to be operating under the control of the Chinese Government out of several locations within the country and based in Shanghai. APT 1 is a unique adversary due to the several unknown factors and the secrecy of the group’s operations. Knowledge of APT 1 is also being disputed by the Chinese Government. Due to some controversy and criticism as to the validity of the report, it seems that the United States has not initiated many responses to the Mandiant Report.