Wednesday, 20 February 2013

Mandiant Lifts The Lid on APT


The claim that China is the root of all evil when it comes to cyber attacks, increased a notch yesterday, when security software specialists Mandiant, released a damning report claiming a sophisticated team of hackers, with suspected connections to the People’s Liberation Army (PLA) and China Communist Party (CCP), had systematically hacked over 140 organisations over a 7 year period.

Why Release The Report?
There have been numerous attempts over the last few years to pin every single cyber-attack onto a group or individual, originating from a Chinese network.  Some justified, some not so, but it’s an easy target to pin things against.  Many of the claims however, have lacked the detailed technical and circumstantial foundation, to back up the claims and move towards either active defence or proactive prosecution.  The Mandiant report – and I really recommend reading it in full to appreciate the level of detail that has been generated – really looks to point the finger, but this time, with a credible amount of detail.  The obvious outcome of being so detailed is that the attackers now have a place of reference, from which they can now mobilise further obfuscation techniques.  However, the report provides several powerful assets such as address and domain information, as well as malware hashes.  This is all useful material in the fight against further attacks.

How Bad Is It?
The detail is eye watering.  141 victims attacked over a 7 year period, with terabytes of data is not a nice read, whatever the contents.  The startling fact was simply the scale of the operations upholding the attacks.  Not only were the attacks persistent, but the infrastructure required to allow such complex and sustained attacks to take place, covered an estimated 1000 servers with hundreds, if not thousands of operators and control staff.  The victim data was equally interesting, with several of the top sectors attacked, being on the industry list for the China 5 year strategic emerging industries plan.  This starts to bring questions surrounding ethics, morality, intellectual protection and competitive behaviour too.  The data points to a strategic industrial programme to steal and use legal, process, leadership and technical information on a vast scale.

What Happens Now…
The report will no doubt create a lot of split opinion in both the infosec community and also the surrounding political avenues too.  The report points to industrial theft on a grand scale. The links to the PLA and CCP are not to be made on a whim and there will be a political response no doubt.  From an effective defence perspective, where does it leave us?  Well the report contains the practical information that many secops teams can effectively utilise for blacklists and malware identification.  The longer term impact may well be unknown at present.  The team behind APT1 will obviously apply counter measures, altering their approach and attack vectors.  Mandiant themselves may well be at risk of hacking as a result if they were not already.

I think ultimately it goes some way to crystallise the view that long term effective attacks via the internet are common place, sophisticated and long term.  They provide an effective way for industrial secrets to be stolen and used, regardless of the levels of software and process protection organisations use.