Security Firm Mandiant Says China's Army Runs Hacking Group APT1

judgecorp writes "The Chinese government has been accused of backing the APT1 hacking group, which appears to be part of the Chinese People's Liberation Army (PLA), according to the security firm which worked with the New York Times when it fell victim to an attack. The firm, Mandiant, says that APT1 is government sponsored, and seems to operate from the same location as PLA Unit 61398." Unsurprisingly, this claim is denied by Chinese officials. You can read the report itself online (PDF), or skim the highlights.

No kidding

[crazyjj]

I would be surprised to learn of any major military power today that DOESN'T have a cyberwarfare division (and god knows how many government contractors doing it on the sly). This only exposes something publicly that every security researcher has known for over a decade.

Re:No kidding

[Virtucon]

Yeah, I'm sure the US government already knows about it and has brought it up privately with the Chinese. I expect the conversations went no where:

US: We want you to stop your cyberespionage in the US.
China: You want fried rice or steamed rice with that?

Re:No kidding

[jsepeta]

But somehow Hillary Clinton failed to stress the danger the US is in every day because of Chinese military-sponsored attacks on US corporations' websites. Hopefully (doubtfully) John Kerry will be more transparent.

Re:No kidding

[daem0n1x]

I love the smell of naive self-righteous bullshit in the afternoon.

Re:No kidding

[Virtucon]

Do you expect a politician to admit when they've left their guard down? Take a look at the Embassy killings in Benghazi if you want a road map as to how the State Department handles transparency.

The fact of the matter is that we are under attack daily from interests by foreign governments or by organizations that receive support and funding from those same governments. Espionage has changed, it doesn't take collateral assets to infiltrate factories when you can hire a bunch of college kids to hack the aerospace firms systems or get those strategy documents from the banking firm. What has to happen is that people need to start treating the Internet like their front door. Firewalls as good, but you don't let just any information out of your home and you certainly don't let everybody in your house either. The Chinese have been observed for years for doing this, so here's a simple thought: Disconnect them from the Internet. Oh wait, that would cause problems with international conventions on fairness right? Frankly if the Obama administration took this seriously they'd be sending that message: Either clean up your act or we'll disconnect your access. Sure they can then proxy or go elsewhere but at least it would be a stand instead of the constant words going back and forth. The Chinese will only respond to actions, not words and we have to start taking more actions where this is concerned.

Re:No kidding

[0racle]

I would expect it to be closer to:

US: We want you to stop your cyberespionage in the US.
China: You first.

Re:No kidding

[Runaway1956]

Somehow, I fail to see the difference. We want certain kinds of information, that we believe will make our nation stronger. They want any and all information, that they believe will make their nation stronger.

Pot, meet Kettle.

Re:No kidding

[gotak]

1) I am sure US totally wants to steal information on any stealth fighter developing in China. They want to know what they are making. And I am sure there are many efforts in progress to gain as much information as possible.

2) "Free" vs "Un-Free" is not the determining factor is innovation and scientific achievements now or into the future. You should be more worried about spending on education, society's attitude to science and bans on things like stem cell research. In the spending on education and society attitude to science the US is lagging many other nations.

Re:No kidding

[Squidlips]

Kerry Transparent???? He certainly was transparent when he moored his yacht in Rhode Island to avoid $700,000

Internet Control

Stories like this will be used to push draconian internet control and cyber-security laws on the American public.
Don't be fooled.

So what else is new?

[mnooning]

I was so excited when I got my first wireless router a number of years ago that I used to check the in/out listings daily. I did not care too much about unauthorized access (who would want to monitor me?) so I just chose the Netgear defaults. I quickly found out that a number of DAILY accesses were from somewhere in China. They were not from the same places in China, but they were from China nonetheless. I quickly made the security corrections. Fortunately they do not seem to get in now. Emphasis on the words "seem to".

Re:So what else is new?

[Xest]

A lot of people forget that the population of China is what, 1/5th the world's population?

As such it would make statistical sense that around 1/5th of attacks they see are from China.

This is a figure that tallies roughly pretty well with attacks I've seen on every net facing system I've bothered to monitor. I wouldn't say there are proportionally more attacks from China relative to their share of the world's population than anywhere else. Given the US' population, Russia's population, or a number of South American and Eastern European states whose names I've seen popup a fair bit it's actually the case that I see disproportionally more attacks from these states relative to their population.

I'm not defending China though, I don't buy the conspiracy theories, I think China genuinely is trying to get ahead in the world by stealing corporate secrets more so than anywhere else. The problem is, that Western states are easy targets because they assume that every country is like their own - that no competitor will hack them because that would be corporate suicide for their competitor if the truth ever came to light - the problem with this is that it ignores nations where the governments actively support such activity, rather than come down on it with the full force of the law more actively.

My point though is this, even in TFA it mentions that only something like 140 organisations have been targeted by this group. That's not really a lot, so if you see hack attacks on your personal router it's simple paranoia to assume the Chinese government is trying to hack you rather than a simple statistical likelihood that China has it's share of blanket IP/port scanning script kiddies as anywhere else too. If however you work for a Fortune 500 with something of value, there's a much greater chance that they are indeed out to get you.

Re:So what else is new?

[mnooning]

Okay. I have a Netgear WNR3500L.

If you examine the Netgear log, you should never get anything of the type below, as it is something that Negear would have allowed in whether you liked it or not. The example below is from Jinan, China.

[LAN access from remote] from 221.1.202.102:56024 to 192.168.1.4:32789 Sunday, Jul 22,2004 23:43:16

Log messages of the form below are things that your computer requested, such as when you clicked on a link, and the router allowed. The "192.168.1.2" was assigned to my laptop.

[Site allowed: web.mail.comcast.net] from source 192.168.1.2, Sunday, Jul 22,2004 19:12:08

Disable the Router's PIN!!! It has a brute force vulnerability. There are (now) numerous articles on it.

Use WPA2-PSK[AES] encryption.

Use a very long administrative password with capital and small letters, and numbers.

Use a long users' log on password with a good alphanumeric mix. You only have to type it into your laptop or computer once.

After you have done all this, log out of the router, then reboot it. Then log back in and change both the administrative and the user's passwords again. This is because an outside agent can monitor/gather info while you are doing the first set. Presumably you can change the passwords again before the outside agent has a chance to analyze that you changed it the first time, and hence has no chance to monitor the second change. Paranoid, yes, but, I NEVER get the "LAN access from remote" messages anymore.

3D printer

[ArcadeMan]

Now that I know what PLA is made of, I'll be printing with ABS from now on.

Can it really be called hacking?

[sl4shd0rk]

When all your base are so easy to belong?

-- U.S. government has receives grade of "C-"
-- DHS received a "D" for 2006, an "F" in 2005
-- DoE pulled its grade up to a "C" from an "F."
-- Department of Commerce received an "F"

http://www.technewsworld.com/story/56892.html

Try Again

I would be surprised to learn of any major military power today that DOESN'T have a cyberwarfare division (and god knows how many government contractors doing it on the sly). This only exposes something publicly that every security researcher has known for over a decade.

I'm sorry, you were saying you have evidence of the United States targeting civilians, newspapers and non-military corporations by paying a third party to do it and then denied it? This isn't pot/kettle this is apples/oranges.

Actual Report Here

[guttentag]

Direct Link to the 6.8 MB PDF file here.

Mandiant page with appendix and hashes for their materials here.

I was reading through this last night and it contains some interesting details, but is also something of an advertisement for Mandiant's services. Some highlights:

• The name of the group is People's Liberation Army Unit 61398 in Shanghai, and Mandiant has found that one of their personas uses easy to remember passwords for the many accounts he sets up, including a sort of mnemonic for the unit's number (“2j3c1k” likely stands for 2 ju 3 chu 1 ke, which likely stands for 2nd Bureau, 3rd Division, 1st Section, which is the official name of Unit 61398). The majority of attacks come from the neighborhood where this unit is based, and they have been supplied with "special" fiber connections "in the name of national defense."
• The group is focused on the U.S. and Canada, and is mostly interested in attacking the information technology industry, but has taken an interest in aerospace, public administration, satellites and telecom, scientific research, energy and transportation.
• They include interesting profiles of three "personas" known to be involved in the units attacks: Malware author "Ugly Gorilla" (a.k.a. "Wang Dong"), hacker "DOTA" (whose gmail account they claim to have broken into, and they provide a screenshot) and tool author "SuperHard" (Mei Qiang).
• The group uses the term “rouji,” which translates to "Meat Chicken," in their software to refer to infected computers.

Re:Actual Report Here

[Is0m0rph]

Are you sure with the aliases of Wang Dong and SuperHard this isn't some Chinese gay porno movie making unit?

we're in denial

posting anon for obvious reasons. I work for a very large tech company, and we've been trying to remove these bastards for years. YEARS. But the admins still click on cutepicture.exe in their email, and the devs always open the malicious Confidential2012salaries.ppt.... so it's like one big game of whack-a-mole. When we get more effective, sometimes we can maintain a dry environment for a good long time. Other times they throw serious resources at us and we get flooded, sometimes even tracing malicious action to short-term contractors physcially working in the US. It's like a swarm of locusts, picking through every bit of data with commercial value. I think one thing that escapes many US/EU security people is the scale of the PRC effort. When you have tens of thousands of people at your disposal, and update your overall plans every 5 years, it's never "a hack." If you do anything they're interested in, they're in your house.

But two alternate realities persist:
1. The Chinese government will continue to vapidly claim that attribution based on years of solid data are "unfounded and irresponsible" accusations. It is difficult to understand or engage with an adversary on any constructive level when their government consistently spouts predictable juvenile lies.
2. Our/your PR & legal people will steadfastly refuse to discuss the long-game nature of the Chinese intrusions, and deny they started 2-5-10 years ago and persist to this day. (We got a good chuckle out of the NYT assertion that the intruders entered only a few months ago, and that they have been eradicated from the network. I believe their corp lawyers said that. Any tech who believes either assertion it is a fool.)

Cyber-warfare returns us to the Middle Ages

[Wormsign]

With the advent of modern weaponry, overwhelming numbers of troops being a tactical advantage became a thing of the past. No longer could you simply overwhelm your foe with bodies. One small unit with heavy machine guns or a tank or air support could take out much larger opposing forces who were not as well armed. We now see this situation reversing itself. China has an over abundance of warm bodies and they can easily throw many more people at cyber-warfare and cyber-espionage than we can. Other than gradually moving more infrastructure off the public internet and blocking massive swathes of IP address space, I don't see any solution to this that won't be so cost-prohibitive that we end up bankrupting ourselves (more) to fend them off. Even blocking IPs doesn't work now when they control botnets in our borders. The battle lines are continuously obscured. How can you defend when there is no direction to defend from? Even moving infrastructure to private networks is complicated as there is great cost associated when you need to move data or tasks to and from the public internet. China isn't going away, and they have no incentive to stop trying to hack our systems. We have nowhere near the manpower it would take to respond in kind and doing something like Stuxnet on them would likely backfire or escalate beyond our control. Maybe that escalation is the only solution. It's scary.

Stop drinking the Koolaid

Except that the West goes after military targets. China targets civilians.

You're not paying attention. Don't whitewash "the West" - it's governed by corrupt sociopaths who are morally no different from the rulers of China. Our institutions are designed to be less corruptable (which is why our leaders have been changing them) but the humans in power are at least equally evil.

The series of worms the USA and Mossad introduced in Iran (presumably to keep Shiites from reaching nuclear parity with the West) caused civilian collateral damage to US and Scandinavian businesses. The Bush/Obama administration has laughed it off; the only thing they regret was giving Israel the keys to the worms, which turned out to be a scarily bad idea. They don't seem to regret the car-bombing campaign "the West" directed against civilian Iranian scientists and their families, either. This isn't any "conspiracy theory" crap, either, it's recent history. It's exhaustively documented in wikipedia at this point, as well as newspapers and books.

Here in reality [tm] all the existing countries that have the capacity to harm designated "enemies of the state" and get away with it, regardless of civilian/military status, seem quite willing to do so. That includes the Vatican and probably would include the Dalai Lama if he had the ability. Obama's administration blows up teenagers with US citizenship, and Bush's administration knowingly tortured innocent people to death for amusement. They're all evil.

Maybe you should get rid of Windows?

By far the largest security hole is Windows.

When the US Gov abolishes Windows, I will assume it is serious. Until then, this is political theatre.

Re:What about Diplomacy?

[denvergeek]

Hillary Clinton is not the Secretary of State.

Nice PR for Mandiant and Richard Beitjich

[Master+of+Transhuman]

While there's no doubt that there are hundreds of thousands of hackers in China (not surprising given the population there), and there is little doubt that many of them are going to be hacking the "Big Bad" (i.e., the U.S.), this is mostly a PR campaign for Mandiant and Richard Beitjich.

Beitjich has been bitching and moaning about China for years now. He won't be satisfied until the US is at war with China - not cyberwar, REAL war.

The problem is multiple:

1) First, there is my "security meme" which should be engraved on everyone's forehead:

"You can haz better security, you can haz worse security. But you cannot haz 'security'. There is no security. Deal."

This means there is no way to keep hackers out of your networks, given the state of the software and telecommunications industries in terms of software development. There is no secure software (short of some specific stuff used by the DoD - and I'm not sure about thee, as the saying goes) and no secure infrastructure. What one guy can make, another guy can break. This is history.

The consensus in infosec today is that the best you can do is try to detect a breach, react to it and contain it so the enemy doesn't get everything it's after. All attempts at "preventing" hacking are utterly futile.

2) Cybercrime is a "growth industry". It's where the narcotics industry was back in the first half of the 20th Century after the anti-drug laws were passed. It will continue to grow until the software and telecommunications industries change their development practices - and based on human resistance to change, this won't happen until cybercrime is ubiquitous and governments and corporations are nailed to a wall of loss.

3) As we used to say in Federal prison, "I hope you don't like it. What are you going to do about it?" i.e., China is a nuclear power. They have 200 or so nuclear warheads. So what is the US going to do to stop Chinese hackers from spying? Bomb them? Threaten them with trade sanctions and start a trade war - with China owning trillions of dollars of US debt and is the US biggest trading partner? The days are gone when the US can just stomp on countries they don't like. Iran is giving the US the finger over the sanctions on it. How much less is China going to be affected?

Finally, I view this whole situation as "leveling the playing field." This is related to 2) above. The U.S. has used its military and economic clout for a hundred years to overwhelm and push countries all over the world around. What is happening now is that the chickens are coming home to roost. The U.S. "intellectual property" (an oxymoron at best) regime is being looted - as it should be.

So nothing is going to change for at least the next decade, maybe two decades.

So as my meme says: Deal.

Cybervoodoo and APT nonsense

[cyberpocalypse]

The same elite "Cyber" group in the PLA is also selling fake Rolexes. If you believe Mandiant, feel free to contact me about shares in the Brooklyn Bridge http://cybernonsense.blogspot.com/2013/02/chinese-hackers-and-security-malware_4130.html